gnu@sun.uucp (John Gilmore) (06/07/84)
Suppose you ran a Unix system that got broken into by people who discovered that 10% of the random 5-letter passwords they typed worked. While they are clearly responsible for their actions, you didn't take adequate care to protect yourself -- you were stupid about security. If somebody posted a message saying "Such and such a system accepts 10% of the random 5-letter passwords you give it", should you charge them with a crime? NO -- I claim you should fix your system. A long time ago I was a regular caller of an underground phone phreak BBS (8BBS in Santa Clara, CA). Various similar messages appeared there about how easy it was to "scan" for MCI or Sprint access codes. Indeed, calling the local access number and trying 10 or 20 random combinations (especially ones near other access numbers) worked very well. After a year or two the companies wised up and fixed the way they assigned numbers. What's the point? As long as Bell, credit card companies, etc, don't take adequate precautions against fraud, I don't think it's fair for them to lobby for increased legal protection. Computerniks and phone phreaks all know just how BAD their security is, yet here we are seeing a lot of people lobbying for tougher laws on system cracking, supporting arrest of people who use BBS's to exchange info on breaking security, etc. We discovered in the '20's that making an easy thing illegal doesn't stop people from doing it; the fix is to make it hard.
SAPPHO@SRI-NIC.ARPA (06/14/84)
From: Lynn Gazis <SAPPHO@SRI-NIC.ARPA> Wrong. If someone breaks into your security, you should certainly fix the holes in it, but to refrain from charging the person with a crime because you were careless is ridiculous. In the first place, I find this viewpoint morally obnoxious. Carrying the principle behind this argument to its logical conclusion seems to lead to the conclusion that one shouldn't prosecute murderers as long as their victims were careless enough to put themselves in a position where they were vulnerable. In the second place, reporting the crime to the police seems to me to be useful. If the person is caught, then at least one phone phreak is likely to do less phreaking, and if the probability of getting punished is high enough, it will deter other people. I don't buy your argument that increased security is the real solution. I think one can pursue both of those solutions at once. It's not as if they interfere with each other. In the third place, as people pointed out in the piracy discussion, methods adopted by companies to increase security are part of the problem caused by fraud. I am tired of stores where I am asked to leave my backpack in front where it is more likely to be stolen because some twits felt like shoplifting. I am dismayed to see software protected so that people can't make backups because some twits felt like pirating it. Let people increase their security as much as they have to out of self interest. But I had rather punish criminals than law-abiding citizens, so I think that laws should be used for all they are worth. Lynn Gazis -------