gnu@hoptoad.uucp (John Gilmore) (04/09/90)
I'm glad to see how many people are in favor of security rather than
obscurity. Even CERT (the Computer Emergency Response Team) these days
seems to be in favor of it. Someone posted that the headers on their
messages prohibit redistribution, but that's not true: it's the
"Security mailing list" that has this botch. (I'm on both CERT-Tools
and the Security Mailing List.) On the other hand, CERT didn't announce
the recent large set of Internet breakins (reported in the NY Times),
so they are not pristine either.
I would like to argue in favor of an unmoderated alt newsgroup for
security issues. Clearly, I could've created one anyway, but so many
people seem to want moderation that I want to explain my reasons, and
see if you agree.
The essense of the problem we currently have is control. Somebody in a
position to control distribution of security information is making the
wrong decisions about who gets to see it. Actually this is several
somebodies, and some of the 'wrong decisions' are not maliciously made,
but are inherent in the structure of how they set it up (high overhead
for "verification", paranoia assuming every subscriber is a cracker
unless proven otherwise, etc).
Now almost all the proposals I hear for a fix to this problem involve
setting up yet another point for control of distribution -- a
moderator. Since no candidates have been suggested as moderator
(except one self-suggestion by someone), we clearly can't evaluate the
moderator's credentials. But even if an impeccable person is available
and willing at the moment, long net experience shows that they will not
stay in that job forever. And when they run out of time, the decision
on the new moderator will be made primarily on who's available, not on
their qualifications, since most qualified people will be unavailable.
In short, it sets up a structure where the same problem will recur, and
in that case, why bother? You could campaign to replace the current
moderator of the current list with equal result.
There seem to be two facets of the problem: where sysadmins can get
security information, and where they can send security information. A
moderated newsgroup solves the first (anyone can subscribe to it), but
not the second (not everyone can post to it). An unmoderated group
solves both.
"But think of the danger!" choruses a mess of people. "Irresponsible
people could find out about all sorts of nasty unfixable bugs!". In a
moderated newsgroup, either YOU won't find out about these bugs, or
EVERYONE will find out. A mod group won't prevent crackers from
reading the list -- it only solves the second facet. So this "problem"
will be solved by NOT POSTING submitted messages that are dangerous.
Do you want someone to screen out security problem reports that are
"too dangerous for you to handle"? That's what they are doing now, and
is exactly what you are complaining about.
There is still the danger of someone shouting "FIRE!" in a crowded
newsgroup, e.g. posting a message indicating that a serious bug exists
in SunOS when it doesn't actually exist, and wasting a lot of peoples'
time. But this problem will also occur in a mod group, unless the
moderator VERIFIES each problem report, probably by checking source
code. That already introduces unpredictable delay and high overhead.
Even if bogus reports are posted to an unmoderated group, the problem
is only short-term though; it's fixed by having reputable people post
messages indicating that the problem was bogus. Each recipient can
decide for themselves whether it's worth investing the time in checking
it out; there will be no moderator making those decisions for your
site.
In summary, a mod group doesn't provide any benefit over an unmod
group, and it provides an additional point of control which can and
will be abused to provide obscurity rather than security.
--
John Gilmore {sun,pacbell,uunet,pyramid}!hoptoad!gnu gnu@toad.com
Boycott the census! In 1942, the Census Bureau told the Army which block
every Japanese-American lived on, so they could be hustled to internment camps.
Maximum penalty for refusing to answer: $100, no jail.