Path: utzoo!attcan!uunet!hoptoad!gnu From: gnu@hoptoad.uucp (John Gilmore) Newsgroups: comp.protocols.tcp-ip Subject: Re: Worm report fails to address the problem Message-ID: <8136@hoptoad.uucp> Date: 26 Jul 89 19:54:58 GMT References: <8907211627.aa28013@note.nsf.gov> Organization: Grasshopper Group in San Francisco Lines: 79 I found the OTA worm report to not be very helpful. It recommends central control of Internet security. Of course, this is what a government would tend to recommend -- centralization of authority. We have several centralized authorities for security and privacy now -- the NSA, NIST, and CERT. NSA is habitually silent (protecting its own security, not anyone else's), NIST doesn't seem to have the expertise, and CERT seems to be following the NSA model (all information flows inward). It discussed several research projects, including the use of cryptography for email; Kerberos; and formal proofs of programs. What it forgot to point out was that none of this research would have had any effect on the worm. It talks about existing laws and proposed bills that would criminalize the release of a worm -- while conveniently ignoring that these bills would criminalize things that all of us do daily. I think that *responsibility* for security should still rest on the individual hosts and networks. However, there should be public *testing* of security by any interested parties, in the spirit of fire drills. Responsibility for security should remain decentralized because one model is not appropriate for all sites. A central bureacracy will not have experts in each type of machine on the Internet. And central rules will necessarily be compromises -- too loose for some sites, too strict for others. The key to making decentral security work is public testing. On the third Tuesday of each month, say, it's open season on breaking into other peoples' machines over the Internet -- IF you provide a transcript of your actions afterward. Organizations with particular security concerns can fund people to test their own security, or can swap with another organization and test each others' security. DARPA and NSF can fund a few people to do more widespread "scattergun" testing. And there will always be plenty of volunteers because people like to solve puzzles. The key is to make this a regularly scheduled, publicly sanctioned event. You could even award prizes, as in the computer Go tournaments or the Obfuscated C contest -- highest volume of systems cracked, most obscure hole found, hardest to fix problem, least visible intrusion, etc. These could even carry cash prizes -- if you break into a NASA computer during such a fire drill, and document your breakin, we'll pay you $1000. This would fund the best crackers so they could afford to continue providing high quality testing. Entire classes of undergraduates and grad students could do security testing projects, using the Internet as their testbed. This would educate lots of folks about how to provide good security, and make the Internet the most secure network, by constantly testing and fixing its security. Of course, people who didn't *want* to fix their security could just drop off the net one Tuesday a month. But public disclosure of the holes found in other systems would make their systems more vulnerable the rest of the time, and they would have strong incentive to either clean up their security, or drop off the Internet. In either case the Internet is left more secure. The only way I can see to keep the Internet secure is "eternal vigilance". A central security bureau will not be eternally vigilant -- it will become bureaucratic and lazy. And it will have no incentive to reveal what it has learned about security, except to small numbers of people (e.g. the people who maintain 'sendmail' at various vendors). In fact, revealing breakins will DECREASE its reputation -- "No one has ever escaped from Stalag 13!" There seems to be a meme loose today that wants to criminalize all sorts of activities -- that views making something illegal a "fix" for the problems it presents. But the problems persist regardless of what the laws say. I think something closer to a "fix" would be to bring the activity out of the underground and diffuse it through society, in a cooperative rather than combative situation. *If we keep treating security testing as someting only criminals will do, only criminals will do it!* -- John Gilmore {sun,pacbell,uunet,pyramid}!hoptoad!gnu gnu@toad.com "And if there's danger don't you try to overlook it, Because you knew the job was dangerous when you took it"