weemba@garnet.berkeley.edu (Obnoxious Math Grad Student) (11/09/88)
Note: news.sysadmin (about administrating systems) is more appropriate than news.admin (about administrating netnews) for discussing the worm. Followups have been directed there. In article <6470@galbp.LBP.HARRIS.COM>, mhw@wittsend (Michael H. Warfield) writes: > Agreed! And all the more reason to roast this guy over slow >coals. If others see him get away with it (and probably end up with a >good job in computer security to boot) they will definitely get the idea >that this is the "in" thing to do. Lock him away but good, and they >might think a bit before risking a 20 year sentence for a "prank". WAKE UP! It doesn't matter if people do or do not get the idea that this is an "in" thing to do. All it takes is ONE person to wreck REAL havoc on the ARPANET. Just ONE. Think about it. Whether or not *most* people get the idea that random cracking is bad, you should run your system on the assumption that there is ONE person out there who is going to TOTALLY TRASH your system--if you let him. Random cracking can take place nowadays because people like you are so goddam concerned with getting the punitives right. Do you leave your front door wide open with signs saying "expensive stuff inside", trust- ing to the LAW to protect your possessions? HELL NO!!! So why do you treat your computers in this manner? Hoping that the legal system is going to protect you here is so totally misguided. PROTECT YOURSELF! ucbvax!garnet!weemba Matthew P Wiener/Brahms Gang/Berkeley CA 94720
henry@utzoo.uucp (Henry Spencer) (11/11/88)
In article <16720@agate.BERKELEY.EDU> weemba@garnet.berkeley.edu (Obnoxious Math Grad Student) writes: >> ... all the more reason to roast this guy over slow >>coals. If others see him get away with it (and probably end up with a >>good job in computer security to boot) they will definitely get the idea >>that this is the "in" thing to do... > >It doesn't matter if people do or do not get the idea that this is an >"in" thing to do. All it takes is ONE person to wreck REAL havoc on >the ARPANET. Just ONE. Think about it. Whether or not *most* people >get the idea that random cracking is bad, you should run your system >on the assumption that there is ONE person out there who is going to >TOTALLY TRASH your system--if you let him.... So why do you >treat your computers in this manner? Hoping that the legal system is >going to protect you here is so totally misguided. PROTECT YOURSELF! I don't see anybody suggesting that the legal system is going to be our sole protection, even if we crucify Morris Jr. Of course there is always going to be the occasional bozo. But we can never have perfect security. The most we can do is stack the deck in our favor IN AS MANY WAYS AS WE CAN. The number of successful penetrations is the product of two numbers: the number of attempts and the probability of success. To reduce that product to the smallest number possible, we have to reduce *both* factors. So we reduce the probability of success by tightening up our systems, AND we reduce the number of attempts by making it clear that success brings punishment, not reward. The two approaches are not mutually incompatible! -- Sendmail is a bug, | Henry Spencer at U of Toronto Zoology not a feature. | uunet!attcan!utzoo!henry henry@zoo.toronto.edu
weemba@garnet.berkeley.edu (Obnoxious Math Grad Student) (11/13/88)
>>> ... all the more reason to roast this guy over slow coals. If >>>others see him get away with it (and probably end up with a good job >>>in computer security to boot) they will definitely get the idea that >>>this is the "in" thing to do... [someone] >> [my comments] >I don't see anybody suggesting that the legal system is going to be our >sole protection, even if we crucify Morris Jr. [Henry] That's how I interpret comments like >>> above. I simply do not expect Morris to get much in the way of punishment, and so statements that em- phasize the important of such punishment strike me as so much ostrich thinking. > Of course there is always >going to be the occasional bozo. But we can never have perfect security. >The most we can do is stack the deck in our favor IN AS MANY WAYS AS WE CAN. >The number of successful penetrations is the product of two numbers: the >number of attempts and the probability of success. To reduce that product >to the smallest number possible, we have to reduce *both* factors. I believe that the best way to reduce the former number is by making the latter much smaller. We've all gotten so lackadaisical about UNIX and net security that we just take it for granted that the first number is embar- rassingly large. Knock down the second number a serious amount, and the number of attempts will go way down when the new very large failure rate becomes generally known. The point is, while perfect security is a chimera, security against all but the most determined foe seems a reasonable goal to aim for. But you know what? People don't want to even do that! For example: Karl has cited the anon ftp bug getting fixed in secret as being proof that the system works. Utter hah. A friend who likes this sort of scuttlebutt has told me that the fix simply hasn't been put in at numerous sites that still offer anon ftp. So what happens when Worm version 2 comes around using the FTPD bug (and probably 80% of the pass- words that Worm version 1 gleened on its first trip around, assuming that RTM saved them somewhere and someone else has filched them to a safe spot)? Another round of screaming how DARE so-and-so? Dare or not simply seems mighty irrelevant to me: if your machine is important to you, you'll be ready for it. And if everyone took the attitude that their machine was important, then the charm of writing Morris worms will wear off. Which is just as effective as a massive raising in cracker ethics. > So we >reduce the probability of success by tightening up our systems, AND we >reduce the number of attempts by making it clear that success brings >punishment, not reward. The two approaches are not mutually incompatible! No. As I said, I just don't believe the second will occur. And acting as if it will is thus dangerous (in my eyes). Defining things like viruses and worms and no doubt illegal computer access in general requires one to solve the halting problem. (Eg, is a program that loops until it finds a counterexample to Fermat's Last Theorem, at which point it invades other machines, a worm or not?) Will *any* attempt at legislation here be thrown out on constitutional grounds as too vague? Not a pleasant thought, but one that must be faced. Especially because the relevant laws are too vague RIGHT NOW: they have to go throw actual court cases and appeals and so on before their scare value can be estimated, let alone relied on. Aiyiyi. To me, the only hope is a widespread realization the we can only reduce the number of attempts by making it clear that success is damned unlikely. ucbvax!garnet!weemba Matthew P Wiener/Brahms Gang/Berkeley CA 94720