bin@rhesus.primate.wisc.edu (Brain in Neutral) (11/12/88)
From article <16843@agate.BERKELEY.EDU>, by weemba@garnet.berkeley.edu (Obnoxious Math Grad Student): > I don't see why being defeatist or not matters. Personally, I think > of myself as somewhere between cynical and realistic. Anyway, I've > been called worse in the past. I'm not trying to call you anything. (yet! :-) ) Being defeatist would matter if it caused us not to take a course of action which, if taken, would have made our installations more secure *or* less subject to attack. These are not quite the same. You have focused more on virus-proofing installations, others have focused on encouraging or requiring ethical behavior. As I read your articles I get the sense you consider the latter relatively valueless, *so much so* that such approaches will produce no result at all. If by "no result" we mean no increase in security, then certainly you are right, in the sense that an installation's security is not a function of whether I might or might not attack it, depending on my ethical beliefs. An insecure site is insecure regardless of whether it's been attacked. But if by "no result" we mean no difference in the number of *actual* attacks, then I think we can reasonably say that approaches oriented toward ethics will *not* be without result. > How many sites would be wiped out if a fire hit your computer room? > Are your backups in the same room as your disks and computers? This > is a small potatoes question that could have big potatoes consequences, > yet this kind of thinking is routinely just not done. > > You have to approach security in the same way. That's correct, but there should still be consequences for someone who deliberately sets a fire, shouldn't there? >>You yourself concur that the net will not be made totally secure, but >>can be made *more* secure. It seems reasonable that a greater degree >>of ethical behavior (instilled, say, by highly adverse consequences for >>unethical behavior) would also make the net *more* secure, even though >>not totally secure. > > Making theft possible only for those with the heaviest of hardware > does more, I hazard, then teaching kids to "just say no" to stealing. Well now, I'd say that this is mischaracterization of my argument (something I know you don't like when you think others do it to you), for the reason that enacting highly adverse consequences is not the same as saying "just say no". "just say no" would probably be a failure in this arena just as I'll bet it will be in the public schools. From what I hear from the kids I teach in my sunday school class, they're taught to "just say no" (to, e.g., drugs, peer pressure), but not especially WHY. These kids aren't stupid: you can imagine how much respect they have for such teaching. It would be the same on the Internet. A mandate requiring particular behavior which imparts no comprehension of the reasons why or why not to engage in that behavior will probably do little. But that is not to say let's throw up our hands. People are not always fools, and often respond in reasonable ways to societal consensus. Paul DuBois dubois@primate.wisc.edu
weemba@garnet.berkeley.edu (Obnoxious Math Grad Student) (11/13/88)
In article <426@rhesus.primate.wisc.edu>, bin@rhesus (Brain in Neutral) writes: >Being defeatist would matter if it caused us not to take a course >of action which, if taken, would have made our installations more >secure *or* less subject to attack. These are not quite the same. My view is that the improve-ethics approach the defeatist approach, using the above definition. >You have focused more on virus-proofing installations, others have >focused on encouraging or requiring ethical behavior. Not just virus-proofing, but security consciousness raising in general. If all that came out of the Morris worm was anti-Morris-worm software, we haven't learned anything. > An insecure site is insecure regardless of whether it's been >attacked. But if by "no result" we mean no difference in the number of >*actual* attacks, then I think we can reasonably say that approaches >oriented toward ethics will *not* be without result. The number will not matter if just one of them is a complete major disaster. >> How many sites would be wiped out if a fire hit your computer room? >> Are your backups in the same room as your disks and computers? >That's correct, but there should still be consequences for someone who >deliberately sets a fire, shouldn't there? Of course. But how many sites make it easy? >> Making theft possible only for those with the heaviest of hardware >> does more, I hazard, then teaching kids to "just say no" to stealing. >Well now, I'd say that this is mischaracterization of my argument >(something I know you don't like when you think others do it to you), Guilty as charged. What I should have said is in some of my other recent articles. ucbvax!garnet!weemba Matthew P Wiener/Brahms Gang/Berkeley CA 94720