[news.sysadmin] Getting Complacent

weemba@garnet.berkeley.edu (Obnoxious Math Grad Student) (11/09/88)

In article <44439@beno.seismo.CSS.GOV>, rick@seismo (Rick Adams) writes:
>> Does you car insurance cover theft of contents when you leave the
>> doors unlocked?

>Does that make it less of a crime?

Who cares?  Why is it SO IMPORTANT to have the MORAL HIGH GROUND?  So
that you can feel justified about being smug and complacent re security?

ucbvax!garnet!weemba	Matthew P Wiener/Brahms Gang/Berkeley CA 94720

spaf@cs.purdue.edu (Gene Spafford) (11/10/88)

In article <16742@agate.BERKELEY.EDU> weemba@garnet.berkeley.edu (Obnoxious Math Grad Student) writes:
>In article <44439@beno.seismo.CSS.GOV>, rick@seismo (Rick Adams) writes:
>>Does that make it less of a crime?
>
>Who cares?  Why is it SO IMPORTANT to have the MORAL HIGH GROUND?  So
>that you can feel justified about being smug and complacent re security?

1) Rick (and I and others) are hardly smug and complacent about
security.  We're working on it, and have been working on it, for
quite some time, although that is not our primary job.  Just
because we don't tell you and the Usenet about it doesn't mean
we aren't acting on it.  In fact, considering your behavioral
aspects, not telling you about anything is an important part
of a good security program.

2) Some of us are concerned about ethical issues in addition to
technical issues.  Too many people are not concerned with ethics,
professionalism, liability, et. al.  and we see technology as not
providing all the answers to important questions. That you are
unconcerned with ethics does not seem surprising to many of us.

3) Please, please insult Indiana some more -- it makes you appear so
terribly clever and humorous.  You're so cute when you're rabid.
-- 
Gene Spafford
NSF/Purdue/U of Florida  Software Engineering Research Center,
Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004
Internet:  spaf@cs.purdue.edu	uucp:	...!{decwrl,gatech,ucbvax}!purdue!spaf

was@creare.UUCP (Wayne Smith) (11/11/88)

In article <5366@medusa.cs.purdue.edu> spaf@cs.purdue.edu (Gene Spafford) writes:
>In article <16742@agate.BERKELEY.EDU> weemba@garnet.berkeley.edu (Obnoxious Math Grad Student) writes:
>>
>>Who cares?  Why is it SO IMPORTANT to have the MORAL HIGH GROUND?  So
>>that you can feel justified about being smug and complacent re security?
>
>1) Rick (and I and others) are hardly smug and complacent about
>security.  We're working on it, and have been working on it, for
>quite some time, although that is not our primary job.

Ah, you're much too modest.  I'd say all that work has paid off
handsomely.  You are much more smug and complacent than you give
yourself credit for.  1/4:)

>2) Some of us are concerned about ethical issues in addition to
>technical issues.  Too many people are not concerned with ethics,
>professionalism, liability, et. al.

Ethical considerations are not going to help secure my installation
from theft and vandalism.  As many (especially those who would like to
see RTM hang) have testified, we can be greatly inconvenienced and
even injured by a breach of security.  The problem is, as weemba has
reiterated, that keeping holes out of the view of the "general public"
does not keep them from being used maliciously by vandals, terrorists,
etc.  It only keeps them from being fixed.  Thanks to RTM, a few of
these holes were moved into plain view and the general public was
forced to stop and look.  We screamed at the sight, the thought of
falling in, and the inconvenience of having to stop, and together, we
demanded that the biggest holes be patched.  Unfortunately, some of us
think a good way to help keep other holes from being maliciously
exploited is to make an example of the person who forced us to look.

I think that people like you, Spaf, do the Unix community a disservice
by insisting that we are better off not knowing the details of the
holes in our own systems.  Do you flatter yourself that you can
mobilize the likes of DEC, AT&T, HP, Sun, and IBM to go to the trouble
and expense of fixing thousands of installed Unix systems when none of
their customers know of any specific problem?  What kind of secret
note can you alone send that will grab their attention and send them
scurrying to fix the problem?

I am sure that it is people like you who are qualified to find the
holes and provide the fixes (with the help of individuals like RTM),
but it is WE who motivate and move the market.  If WE do not know the
problems, their details, and the dangers they present, they will not
be repaired.
-- 
Wayne A. Smith
Creare Inc.		arpa:	was%creare%dartmouth.edu@relay.cs.net
P.O. Box 71		uucp:	dartvax!creare!was
Hanover, NH 03755	phone:	(603) 643-3800

jwm@stdc.jhuapl.edu (Jim Meritt) (11/15/88)

In article <5366@medusa.cs.purdue.edu> spaf@cs.purdue.edu (Gene Spafford) writes:
}In article <16742@agate.BERKELEY.EDU> weemba@garnet.berkeley.edu (Obnoxious Math Grad Student) writes:
}>In article <44439@beno.seismo.CSS.GOV>, rick@seismo (Rick Adams) writes:
}>>Does that make it less of a crime?
}>
}>Who cares?  Why is it SO IMPORTANT to have the MORAL HIGH GROUND?  So
}>that you can feel justified about being smug and complacent re security?
}
}1) Rick (and I and others) are hardly smug and complacent about
}security.  We're working on it, and have been working on it, for
}quite some time, although that is not our primary job.  Just
}because we don't tell you and the Usenet about it doesn't mean
}we aren't acting on it.  In fact, considering your behavioral
}aspects, not telling you about anything is an important part
}of a good security program.

From what I have seen, not telling people anything has been a major
component of the system(s) security program.  

Might I submit that that is not a very reliable component - ignorance
can be cured, and I really would not want to be in the position on
depending on it NOT being done so.

Sure, Matt can irritate.  But is he incorrect on the reality of the
situation?  The world is not a nice place.  Wishing it so does no
good.  Fixing it does good.

LET'S GET THAT SECURITY NEWSGROUP UP FOR *U*S*E*R*S*!!!!!
Who do you thing is using the systems?


Disclaimer:  "It's mine!  All mine!!!"   
					- D. Duck

zeeff@b-tech.ann-arbor.mi.us (Jon Zeeff) (11/15/88)

I sure wouldn't mind if some trustworthy group took it upon themselves 
to randomly test systems for security problems and sent mail to root 
if they found anything.  Along with some guidelines for ethical 
security testing, I think it's just what we need.  A benign, carefully 
written worm could also be a good thing.  

-- 
Jon Zeeff      		 	A month ago, I broke your system and
umix!b-tech!zeeff		modified your kernel.  Can you prove
zeeff@b-tech.ann-arbor.mi.us	me wrong?