Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.1 6/24/83; site fortune.UUCP
Path: utzoo!watmath!clyde!burl!we13!ihnp4!fortune!rpw3
From: rpw3@fortune.UUCP
Newsgroups: net.misc
Subject: Re: Re: Password hacker gets probation ( - (nf)
Message-ID: <3229@fortune.UUCP>
Date: Thu, 3-May-84 23:04:48 EDT
Article-I.D.: fortune.3229
Posted: Thu May  3 23:04:48 1984
Date-Received: Fri, 4-May-84 06:45:55 EDT
Sender: notes@fortune.UUCP
Organization: Fortune Systems, Redwood City, CA
Lines: 39

#R:ihu1g:-30800:fortune:6700036:000:1741
fortune!rpw3    May  3 18:17:00 1984

+--------------------
| I don't think that people who set up electronic networks and
| communications systems for profit should turn to the law for
| recourse when people start gaining unauthorized access to them.
| Rather, a technological solution should be sought.  That way,
| us engineers stay employed, and the public is spared the expense
| of the legislation and prosecution of laws regulating communications
| access.
+--------------------

Unfortunately, for many common cases of interest (such as protecting
high-volume over-the-counter retail software), there is no economically
feasible technological "solution". The best the engineer can do (and what
any security consultant SHOULD be telling you!), is to raise the cost of
cracking the system just until the incremental cost of more protection is
about to become greater than the incremental savings from such additional
protection.

The legal system is part of the "technology" of protection. By raising
the cost of penetration, you also make the perpetrator (if rational)
raise the scale of his/her activities to justify the "return on
investment", increasing the visibility of those actions, thus making
detection (by the legal system) more likely.

I do agree that a certain minimum amount of protection is prudent, to
deter both the naive/clumsy accident (the "klutz") and the irrational
sociopath (the "fanatic"). But extreme technical expense must be
justified on a balanced risk/benefit analysis. Too often one extreme
or the other is taken, without cause (other than the "ostrich position").

Rob Warnock

UUCP:	{ihnp4,ucbvax!amd70,hpda,harpo,sri-unix,allegra}!fortune!rpw3
DDD:	(415)595-8444
USPS:	Fortune Systems Corp, 101 Twin Dolphin Drive, Redwood City, CA 94065