Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!utgpu!water!watnot!watmath!clyde!rutgers!brl-adm!adm!black@ee.UCLA.EDU From: black@ee.UCLA.EDU Newsgroups: comp.unix.wizards Subject: Re: UNIX-WIZARDS Digest V3#078 Message-ID: <4908@brl-adm.ARPA> Date: Wed, 11-Mar-87 22:02:29 EST Article-I.D.: brl-adm.4908 Posted: Wed Mar 11 22:02:29 1987 Date-Received: Fri, 13-Mar-87 01:07:43 EST Sender: news@brl-adm.ARPA Lines: 44 > What Black really doesn't like is (1) that the knowledge acquired > by the team in trying to break into our system can then be applied > to other, probably less secure, Unix systems and (2) that the > team will be made up of students, who he apparently considers less > trustworthy than himself. I have a feeling I'm gonna get shredded on this issue, but I've got to stick by my guns. My main failure was not suggesting a reasonable alternative; as usual, that resulted in misunderstanding. The things I *really* don't like are: 1) Gould is not going to take the results of these experiments and pass them on to other UNIX OS writers. (I may be wrong. However, the posting did not mention any planned distribution of results.) Under ordinary circumstances, Gould would be under no obligation to share trade secrets that it had spent money to obtain. However, in this case it *is* obligated to share this info because, by the very act of obtaining it, it has placed other, less secure sites in greater potential danger than they were in before it assembled this team. 2) I deliberately pointed out that I would personally refuse to be involved in such an experiment. It's kind of like Pandora's box-- it's quite possible that everyone involved in this project will find that this knowledge is not a temptation. But, as a very wise fortune cookie once told me: "The problem with resisting temptation is that it may never come again." My solution would not be to "stick your head in the sand" as one person suggested. I would think that Gould could find a group of excellent programmers--perhaps hire some professors or professionals as consultants--and organize their own, paid attack team. These people would then have a vested interest in not misusing the information they'd obtained. 'Nough said. Rex Black black@ee.ucla.edu ARPA ...!{ihnp4,ucbvax,sdcrdcf,trwspp}!ucla-cs!uclaee!black UUCP Disclaimer: Once again, these opinions are my own and may or may not be shared by the UCLA Administration or any of its employees.