Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!cis.ohio-state.edu!tut.cis.ohio-state.edu!ucbvax!ulysses!ulysses.att.com!smb From: smb@ulysses.att.com (Steven Bellovin) Newsgroups: comp.unix.wizards Subject: Re: Should Dan post full details of his tty bugs? Message-ID: <14767@ulysses.att.com> Date: 14 May 91 01:42:29 GMT References: <26844:May100:59:2591@kramden.acf.nyu.edu> <4601@skye.ed.ac.uk> <1991May6.111540.17621@santra.uucp> Sender: netnews@ulysses.att.com Lines: 44 Several people have suggested that Dan post full details, simply because responsible ``undergrads'' will at most verify the existence of the problem, and then report it to the system administrator. Some, it is claimed, will even offer help in fixing the problem. The above statements are true, but irrelevant. It only takes one malicious user to wipe out an entire system. Why would someone do that? I don't know -- why do some people slash car tires, or scribble on bathroom walls? There's no reason to think that access to the Internet is a warrantee of one's ethical behavior. This much is certain: some people commit such actions, for whatever reason. Even assuming I'm willing to trust all of my legitimate users -- and that would be a rash assumption; most studies indicate that most security problems are from insiders -- I'm not willing to wager that no outsiders are using my system. More precisely, given the apparent density of security holes and lapses, I must assume that at some point, people I don't trust will crack my system. If that happens, I very much want to prevent any further damage -- and we know that one of the first thing a {cr,h}acker tries to do is to collect more passwords for use on other machines. The holes Dan is talking about are directly implicated here. It is, incidentally, somewhat libelous to blame ``undergrads'' as a class for being hackers. It's simply that undergraduates as a class are the youngest group with substantial representation on the Internet. And, like it or not, age is well-correlated with the incidence of all manner of anti-social behavior. Call it lack of maturity, call it idle hands, call it what you will -- but the fact isn't particularly disputable. Yes, there are responsible undergraduates -- the vast majority, in fact. And many of the ones who poke and pry into systems really are trying to learn. I sympathize -- I did (and do) the same. But, just as the library finds it necessary to place some restrictions on who can remove which books, and for how long, a responsible system administrator takes precautions to ensure that *everyone* can use the computer system. --Steve Bellovin P.S. Don't read this as saying Dan should or should not post full details. I have my own opinions, but I'm not in the mood to post them now, amidst the sturm und drang.