Path: utzoo!attcan!uunet!cs.utexas.edu!sun-barr!apple!agate!ucbvax!DSRM12.STEVENS-TECH.EDU!DSTEVENS From: DSTEVENS@DSRM12.STEVENS-TECH.EDU (David L. Stevens) Newsgroups: comp.protocols.tcp-ip Subject: RE: RE: Worm report fails to address the problem Message-ID: <89627152623.c83.DSTEVENS> Date: 27 Jul 89 19:26:23 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 109 In Message <8136@hoptoad.uucp> John Gilmore writes: > I found the OTA worm report to not be very helpful. > > It recommends central control of Internet security. Of course, this is > what a government would tend to recommend -- centralization of authority. However, without some form of central authority you end up with anarchy, and you need someone with sufficient clout to punish people who violate security. [intervening text omited] > I think that *responsibility* for security should still rest on the > individual hosts and networks. However, there should be public *testing* > of security by any interested parties, in the spirit of fire drills. > > Responsibility for security should remain decentralized because one > model is not appropriate for all sites. A central bureacracy will not > have experts in each type of machine on the Internet. And central rules > will necessarily be compromises -- too loose for some sites, too strict > for others. > > The key to making decentral security work is public testing. On the > third Tuesday of each month, say, it's open season on breaking into > other peoples' machines over the Internet -- IF you provide a > transcript of your actions afterward. Organizations with particular Thats a mighty big IF. Declaring a day as open season to break into any system on the network is like declaring a day as open season to break into any bank in the country. So what if you leave a transcript saying that you got in by breaking the window, whos going to pay for the window afterwards??????? > security concerns can fund people to test their own security, or can > swap with another organization and test each others' security. DARPA > and NSF can fund a few people to do more widespread "scattergun" > testing. And there will always be plenty of volunteers because people > like to solve puzzles. If you make arangements with someone to specifically attempt to break into your system, thats fine, at least you'll know whos doing what. But to allow any random Schmoe on the network to try and break in leaves no accountability. How would you be able to tell a "helpful" cracker, if there is such a beast, from a "harmful" cracker???????? > The key is to make this a regularly scheduled, publicly sanctioned > event. You could even award prizes, as in the computer Go tournaments > or the Obfuscated C contest -- highest volume of systems cracked, most > obscure hole found, hardest to fix problem, least visible intrusion, > etc. These could even carry cash prizes -- if you break into a NASA > computer during such a fire drill, and document your breakin, we'll pay > you $1000. This would fund the best crackers so they could afford to > continue providing high quality testing. Entire classes of > undergraduates and grad students could do security testing projects, > using the Internet as their testbed. This would educate lots of folks > about how to provide good security, and make the Internet the most > secure network, by constantly testing and fixing its security. Undergraduates, and Graduates already try to break into systems either on their campus or off on networks, the last thing College Comp Center staffs need to deal with is encouragement, especially monetary, for them to continue!!!!!!!!!!!!!! > Of course, people who didn't *want* to fix their security could just > drop off the net one Tuesday a month. But public disclosure of the holes > found in other systems would make their systems more vulnerable the > rest of the time, and they would have strong incentive to either clean > up their security, or drop off the Internet. In either case the Internet > is left more secure. What about those of us who just don't like the idea of people trying to break into our systems??? You're taking away an important research resourse so that people can burn bandwidth trying to break into places where they don't belong. > The only way I can see to keep the Internet secure is "eternal vigilance". Eternal vigilance is whats needed in order to keep systems secure. But we need laws so that we can punish people who violate our security, and break into, or contaminate our systems. > A central security bureau will not be eternally vigilant -- it will become > bureaucratic and lazy. And it will have no incentive to reveal what it > has learned about security, except to small numbers of people (e.g. the [ rest of text omitted ] > -- > John Gilmore {sun,pacbell,uunet,pyramid}!hoptoad!gnu gnu@toad.com > "And if there's danger don't you try to overlook it, > Because you knew the job was dangerous when you took it" > ------------ > =============================================================================== | | | | David L. Stevens | CCnet: SITVXC::DSTEVENS | | Senior Systems Programmer | BITnet: DSTEVENS@STEVENS | | Stevens Institute of Technology | INTERnet: DSTEVENS@VAXC.STEVENS-TECH.EDU | | | | =============================================================================== [ ...self realization, I was thinking of those immortal words of Socrates ] [ when he said: 'I drank what ?' - Val Kilmer - Real Genius ] ------------