gnu@sun.uucp (John Gilmore) (06/07/84)
Suppose you ran a Unix system that got broken into by people who discovered that 10% of the random 5-letter passwords they typed worked. While they are clearly responsible for their actions, you didn't take adequate care to protect yourself -- you were stupid about security. If somebody posted a message saying "Such and such a system accepts 10% of the random 5-letter passwords you give it", should you charge them with a crime? NO -- I claim you should fix your system. A long time ago I was a regular caller of an underground phone phreak BBS (8BBS in Santa Clara, CA). Various similar messages appeared there about how easy it was to "scan" for MCI or Sprint access codes. Indeed, calling the local access number and trying 10 or 20 random combinations (especially ones near other access numbers) worked very well. After a year or two the companies wised up and fixed the way they assigned numbers. What's the point? As long as Bell, credit card companies, etc, don't take adequate precautions against fraud, I don't think it's fair for them to lobby for increased legal protection. Computerniks and phone phreaks all know just how BAD their security is, yet here we are seeing a lot of people lobbying for tougher laws on system cracking, supporting arrest of people who use BBS's to exchange info on breaking security, etc. We discovered in the '20's that making an easy thing illegal doesn't stop people from doing it; the fix is to make it hard.