Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!rutgers!mailrus!sharkey!itivax!scs
From: scs@itivax.iti.org (Steve C. Simmons)
Newsgroups: comp.protocols.tcp-ip
Subject: Re: Worm report fails to address the problem
Message-ID: <2408@itivax.iti.org>
Date: 27 Jul 89 12:21:28 GMT
References: <8907211627.aa28013@note.nsf.gov> <8136@hoptoad.uucp>
Organization: Industrial Technology Institute, Ann Arbor, MI.
Lines: 28

gnu@hoptoad.uucp (John Gilmore) writes:

>I think that *responsibility* for security should still rest on the
>individual hosts and networks.  However, there should be public *testing*
>of security by any interested parties, in the spirit of fire drills.

>The key to making decentral security work is public testing.  On the
>third Tuesday of each month, say, it's open season on breaking into
>other peoples' machines over the Internet -- IF you provide a
>transcript of your actions afterward. . . .

While I agree with John that testing is key, this is the wrong way to
go about it.  Several times I've made deals with other sysadms to crack
each others systems, but this is a far cry from 'open season'.  Testing
should be private and controlled.  What should be open in the immediate
dissemination of how to close any holes opened.

Many shops (not naming any names here) have implicitly or explicitly
decided not to beef up security -- they may feel it isn't worth the effort
or have decided to trust the Internet community.  Whether you agree or
disagree with this is irrelevant.  Declaring 'open season' on them will
likely cause them to get angry and perhaps stimulate the same repressive
legislation and central beaurocracy you oppose.
season' will cause these shops a great deal of distree
-- 
Steve Simmons		          scs@vax3.iti.org
Industrial Technology Institute     Ann Arbor, MI.
"Velveeta -- the Spam of Cheeses!" -- Uncle Bonsai