Path: utzoo!attcan!uunet!seismo!ukma!tut.cis.ohio-state.edu!ucbvax!CC3.CC.UMR.EDU!obrennan From: obrennan@CC3.CC.UMR.EDU (obrennan) Newsgroups: comp.sys.apollo Subject: security problems Message-ID: <9006281344.AA00445@cc2.cc.umr.edu> Date: 28 Jun 90 13:44:17 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 46 NO! I feel compelled, as a simple user, to respond to this. Here is a true story. Back in 1976, the ADP director at RMC (Royal Military College) had all the WATFOR manuals expuged of the flag (pages=n) on the $JOB card to keep students from using too much paper. But when i transferred from RMC to CMR (College Militaire Royal) in 1979, i found with surprise that all the $JOB flags were explained at great length, in french, on the wall. Year after year, 150 students transfer from CMR to RMC!! The moral of this story is: You can control your own installation by removing/hiding information, but if this information is avalaible elsewhere, watch out. In ny own modest opinion, the only effective procedure to have security problems such as this rendered harmless is to post them on the wall... (By the way, if you trust the standard Unix password encryption and have not heard of the Cryptbreaker workbench, you are just like this RMC ADP director, hiding your head in the sand (:-)) Is this to imply that because there are some inherent security problems that can't be alleviated that we tell of all of the other problems? Some security breaks take effort while others don't. The security problems that don't take effort will invite many more to the party who just want to see what is happening at the party and will inadvertantally get in trouble. The above thinking is in lines with "Because someone CAN break into my house I might as well give them the keys". By the way, with announcing the info to the list you are ALSO giving away the keys to others houses. I still think that the information can be just as helpful by opening up a problem report with Apollo and announcing that problem report # so that other administrators can query Apollo about it without exposing the network. Also, what is the liability of a person for publicly exposing this information? What if millions of dollars are lost because of the posting of the information? Gerry O'Brennan Computing Services University of Missouri - Rolla ------------------------------ obrennan@apollo.cc.umr.edu c0022@umrvmb.umr.edu ------------------------------