Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!seismo!brl-adm!adm!preece%mycroft@gswd-vms.arpa From: preece%mycroft@gswd-vms.arpa (Scott E. Preece) Newsgroups: comp.unix.wizards Subject: Re: UNIX-WIZARDS Digest V3#078 Message-ID: <4848@brl-adm.ARPA> Date: Tue, 10-Mar-87 10:59:38 EST Article-I.D.: brl-adm.4848 Posted: Tue Mar 10 10:59:38 1987 Date-Received: Wed, 11-Mar-87 00:43:17 EST Sender: news@brl-adm.ARPA Lines: 61 black@ee.UCLA.E: [responding to a note about Gould challenging the local student ACM chapter to try to break into our Secure Unix product] > By the time this ACM "attack team" is finished with their "project", > every one of these people is going to be a veritable black-belt in > system destruction. It speaks pretty poorly of Gould that they feel no > compunction about encouraging people to obtain this type of knowledge. ---------- Well, if they don't learn about what holes in operating systems look like, they can't reasonably be expected to avoid them when they get the chance to design systems themselves. I presume their advisors will counsel them on the appropriate use of this knowledge. I guess I generally favor the acquisition of knowledge, even if that knowledge has potentially evil applications. ---------- > Suppose that a nuclear energy facility had developed what they > considered an "unbreakable" security system for a plutonium reprocessing > plant. Would it then behoove the company to seek out a collection of > Palestinian terrorists and dare them to steal 150 kilos of weapons-grade > Pu? I dare say that any company doing this would soon find that its > management was cooling their heels in a max. sec. prison. ---------- I don't know about seeking out practicing terrorists to test your security, but the hiring of tiger teams to test security systems on computer systems and physical plant facilities is well known. If your security can be broken, you'd prefer to find out under controlled circumstances rather than as the result of a real break in. ---------- > With Unix branching out into more and more critical operations (banking, > hospitals, national security, etc.), what possible right does Gould have > to assemble a team of "super-hackers", no matter how reliable these > people are? ---------- I don't really think that's what the challenge is doing, but what I said before still applies. The use of break in attempts by independent teams is a fairly normal thing to do. What Black really doesn't like is (1) that the knowledge acquired by the team in trying to break into our system can then be applied to other, probably less secure, Unix systems and (2) that the team will be made up of students, who he apparently considers less trustworthy than himself. I don't see the problems he does. The knowledge of how to break Unix systems is already spread far and wide; from the paper on Unix security that accompanies the standard documentation to the discussions in books like Tanenbaum's, this is hardly arcane stuff. As to the people involved, I can only point to the many examples available of people thought to be irreproachable professionals who turned out to be spies, embezzlers, and cheats. The student chapter of the ACM at the University is made of people who in a year or two will be functioning computer professionals, just like the rest of us; I trust them as much as I do Rex Black. [DISCLAIMER: Though I work for Gould, I don't speak for Gould in this note or in general.] -- scott preece gould/csd - urbana uucp: ihnp4!uiucdcs!ccvaxa!preece arpa: preece@gswd-vms