weemba@garnet.berkeley.edu (Obnoxious Math Grad Student) (11/09/88)
In article <44439@beno.seismo.CSS.GOV>, rick@seismo (Rick Adams) writes: >> Does you car insurance cover theft of contents when you leave the >> doors unlocked? >Does that make it less of a crime? Who cares? Why is it SO IMPORTANT to have the MORAL HIGH GROUND? So that you can feel justified about being smug and complacent re security? ucbvax!garnet!weemba Matthew P Wiener/Brahms Gang/Berkeley CA 94720
spaf@cs.purdue.edu (Gene Spafford) (11/10/88)
In article <16742@agate.BERKELEY.EDU> weemba@garnet.berkeley.edu (Obnoxious Math Grad Student) writes: >In article <44439@beno.seismo.CSS.GOV>, rick@seismo (Rick Adams) writes: >>Does that make it less of a crime? > >Who cares? Why is it SO IMPORTANT to have the MORAL HIGH GROUND? So >that you can feel justified about being smug and complacent re security? 1) Rick (and I and others) are hardly smug and complacent about security. We're working on it, and have been working on it, for quite some time, although that is not our primary job. Just because we don't tell you and the Usenet about it doesn't mean we aren't acting on it. In fact, considering your behavioral aspects, not telling you about anything is an important part of a good security program. 2) Some of us are concerned about ethical issues in addition to technical issues. Too many people are not concerned with ethics, professionalism, liability, et. al. and we see technology as not providing all the answers to important questions. That you are unconcerned with ethics does not seem surprising to many of us. 3) Please, please insult Indiana some more -- it makes you appear so terribly clever and humorous. You're so cute when you're rabid. -- Gene Spafford NSF/Purdue/U of Florida Software Engineering Research Center, Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004 Internet: spaf@cs.purdue.edu uucp: ...!{decwrl,gatech,ucbvax}!purdue!spaf
was@creare.UUCP (Wayne Smith) (11/11/88)
In article <5366@medusa.cs.purdue.edu> spaf@cs.purdue.edu (Gene Spafford) writes: >In article <16742@agate.BERKELEY.EDU> weemba@garnet.berkeley.edu (Obnoxious Math Grad Student) writes: >> >>Who cares? Why is it SO IMPORTANT to have the MORAL HIGH GROUND? So >>that you can feel justified about being smug and complacent re security? > >1) Rick (and I and others) are hardly smug and complacent about >security. We're working on it, and have been working on it, for >quite some time, although that is not our primary job. Ah, you're much too modest. I'd say all that work has paid off handsomely. You are much more smug and complacent than you give yourself credit for. 1/4:) >2) Some of us are concerned about ethical issues in addition to >technical issues. Too many people are not concerned with ethics, >professionalism, liability, et. al. Ethical considerations are not going to help secure my installation from theft and vandalism. As many (especially those who would like to see RTM hang) have testified, we can be greatly inconvenienced and even injured by a breach of security. The problem is, as weemba has reiterated, that keeping holes out of the view of the "general public" does not keep them from being used maliciously by vandals, terrorists, etc. It only keeps them from being fixed. Thanks to RTM, a few of these holes were moved into plain view and the general public was forced to stop and look. We screamed at the sight, the thought of falling in, and the inconvenience of having to stop, and together, we demanded that the biggest holes be patched. Unfortunately, some of us think a good way to help keep other holes from being maliciously exploited is to make an example of the person who forced us to look. I think that people like you, Spaf, do the Unix community a disservice by insisting that we are better off not knowing the details of the holes in our own systems. Do you flatter yourself that you can mobilize the likes of DEC, AT&T, HP, Sun, and IBM to go to the trouble and expense of fixing thousands of installed Unix systems when none of their customers know of any specific problem? What kind of secret note can you alone send that will grab their attention and send them scurrying to fix the problem? I am sure that it is people like you who are qualified to find the holes and provide the fixes (with the help of individuals like RTM), but it is WE who motivate and move the market. If WE do not know the problems, their details, and the dangers they present, they will not be repaired. -- Wayne A. Smith Creare Inc. arpa: was%creare%dartmouth.edu@relay.cs.net P.O. Box 71 uucp: dartvax!creare!was Hanover, NH 03755 phone: (603) 643-3800
jwm@stdc.jhuapl.edu (Jim Meritt) (11/15/88)
In article <5366@medusa.cs.purdue.edu> spaf@cs.purdue.edu (Gene Spafford) writes: }In article <16742@agate.BERKELEY.EDU> weemba@garnet.berkeley.edu (Obnoxious Math Grad Student) writes: }>In article <44439@beno.seismo.CSS.GOV>, rick@seismo (Rick Adams) writes: }>>Does that make it less of a crime? }> }>Who cares? Why is it SO IMPORTANT to have the MORAL HIGH GROUND? So }>that you can feel justified about being smug and complacent re security? } }1) Rick (and I and others) are hardly smug and complacent about }security. We're working on it, and have been working on it, for }quite some time, although that is not our primary job. Just }because we don't tell you and the Usenet about it doesn't mean }we aren't acting on it. In fact, considering your behavioral }aspects, not telling you about anything is an important part }of a good security program. From what I have seen, not telling people anything has been a major component of the system(s) security program. Might I submit that that is not a very reliable component - ignorance can be cured, and I really would not want to be in the position on depending on it NOT being done so. Sure, Matt can irritate. But is he incorrect on the reality of the situation? The world is not a nice place. Wishing it so does no good. Fixing it does good. LET'S GET THAT SECURITY NEWSGROUP UP FOR *U*S*E*R*S*!!!!! Who do you thing is using the systems? Disclaimer: "It's mine! All mine!!!" - D. Duck
zeeff@b-tech.ann-arbor.mi.us (Jon Zeeff) (11/15/88)
I sure wouldn't mind if some trustworthy group took it upon themselves to randomly test systems for security problems and sent mail to root if they found anything. Along with some guidelines for ethical security testing, I think it's just what we need. A benign, carefully written worm could also be a good thing. -- Jon Zeeff A month ago, I broke your system and umix!b-tech!zeeff modified your kernel. Can you prove zeeff@b-tech.ann-arbor.mi.us me wrong?