[news.sysadmin] The viral high ground, etc.

bin@rhesus.primate.wisc.edu (Brain in Neutral) (11/12/88)

From article <16843@agate.BERKELEY.EDU>, by weemba@garnet.berkeley.edu (Obnoxious Math Grad Student):
> I don't see why being defeatist or not matters.  Personally, I think
> of myself as somewhere between cynical and realistic.  Anyway, I've
> been called worse in the past.

I'm not trying to call you anything.	(yet! :-) )

Being defeatist would matter if it caused us not to take a course
of action which, if taken, would have made our installations more
secure *or* less subject to attack.  These are not quite the same.

You have focused more on virus-proofing installations, others have
focused on encouraging or requiring ethical behavior.  As I read your
articles I get the sense you consider the latter relatively valueless,
*so much so* that such approaches will produce no result at all.  If by
"no result" we mean no increase in security, then certainly you are
right, in the sense that an installation's security is not a function
of whether I might or might not attack it, depending on my ethical
beliefs.  An insecure site is insecure regardless of whether it's been
attacked.  But if by "no result" we mean no difference in the number of
*actual* attacks, then I think we can reasonably say that approaches
oriented toward ethics will *not* be without result.

> How many sites would be wiped out if a fire hit your computer room?
> Are your backups in the same room as your disks and computers?  This
> is a small potatoes question that could have big potatoes consequences,
> yet this kind of thinking is routinely just not done.
> 
> You have to approach security in the same way.

That's correct, but there should still be consequences for someone who
deliberately sets a fire, shouldn't there?

>>You yourself concur that the net will not be made totally secure, but
>>can be made *more* secure.  It seems reasonable that a greater degree
>>of ethical behavior (instilled, say, by highly adverse consequences for
>>unethical behavior) would also make the net *more* secure, even though
>>not totally secure.
> 
> Making theft possible only for those with the heaviest of hardware
> does more, I hazard, then teaching kids to "just say no" to stealing.

Well now, I'd say that this is mischaracterization of my argument
(something I know you don't like when you think others do it to you),
for the reason that enacting highly adverse consequences is not the
same as saying "just say no".  "just say no" would probably be a failure
in this arena just as I'll bet it will be in the public schools.  From
what I hear from the kids I teach in my sunday school class, they're
taught to "just say no" (to, e.g., drugs, peer pressure), but not
especially WHY.  These kids aren't stupid:  you can imagine how much
respect they have for such teaching.  It would be the same on the
Internet.  A mandate requiring particular behavior which imparts no
comprehension of the reasons why or why not to engage in that behavior
will probably do little.  But that is not to say let's throw up our
hands.  People are not always fools, and often respond in reasonable
ways to societal consensus.

Paul DuBois
dubois@primate.wisc.edu

weemba@garnet.berkeley.edu (Obnoxious Math Grad Student) (11/13/88)

In article <426@rhesus.primate.wisc.edu>, bin@rhesus (Brain in Neutral) writes:
>Being defeatist would matter if it caused us not to take a course
>of action which, if taken, would have made our installations more
>secure *or* less subject to attack.  These are not quite the same.

My view is that the improve-ethics approach the defeatist approach,
using the above definition.

>You have focused more on virus-proofing installations, others have
>focused on encouraging or requiring ethical behavior.

Not just virus-proofing, but security consciousness raising in general.
If all that came out of the Morris worm was anti-Morris-worm software,
we haven't learned anything.

>	   An insecure site is insecure regardless of whether it's been
>attacked.  But if by "no result" we mean no difference in the number of
>*actual* attacks, then I think we can reasonably say that approaches
>oriented toward ethics will *not* be without result.

The number will not matter if just one of them is a complete major
disaster.

>> How many sites would be wiped out if a fire hit your computer room?
>> Are your backups in the same room as your disks and computers?

>That's correct, but there should still be consequences for someone who
>deliberately sets a fire, shouldn't there?

Of course.  But how many sites make it easy?

>> Making theft possible only for those with the heaviest of hardware
>> does more, I hazard, then teaching kids to "just say no" to stealing.

>Well now, I'd say that this is mischaracterization of my argument
>(something I know you don't like when you think others do it to you),

Guilty as charged.  What I should have said is in some of my other
recent articles.

ucbvax!garnet!weemba	Matthew P Wiener/Brahms Gang/Berkeley CA 94720