Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!watmath!clyde!cbatt!ucbvax!ti-eg.CSNET"!"MCCORE::BOLTHOUSE From: "MCCORE::BOLTHOUSE@ti-eg.CSNET".UUCP Newsgroups: mod.computers.vax Subject: Musings regarding students, this forum, and security Message-ID: <8702061525.AA02007@ucbvax.Berkeley.EDU> Date: Thu, 5-Feb-87 13:04:00 EST Article-I.D.: ucbvax.8702061525.AA02007 Posted: Thu Feb 5 13:04:00 1987 Date-Received: Sat, 7-Feb-87 19:23:17 EST Sender: daemon@ucbvax.BERKELEY.EDU Organization: The ARPA Internet Lines: 52 Approved: info-vax@sri-kl.arpa >What exactly is the harm in releasing this (i.e. security-related) >material to students ? Not everybody is trustworthy, nor are they above using information gained from this conference in attempting to break other systems. Usually this activity is beneign, but when it isn't, it can cause extensive economic loss to the owning organization. When the organization in question is a university, it's not as large a problem wiping out a student's latest and greatest C program as it is when someone corrupts, say, the image for the FORTRAN compiler, perhaps causing it to issue invalid instructions... or, say, blowing away ACCOUNTNG.DAT (DP auditors don't like it when the figures don't add up...not to mention the government). We have ways of watching such activity, we try to stop it. However, we are all dependent upon VMS, and when it is compromised in any way, we are all hanging by a thread. Most of the industrial employees in this conference are system managers and have a vested interest in keeping malicious people off of their system. If they don't do their job, it's their head that rolls. Students have no such "incentive". After the recent incident at Stanford, you'd think such questions wouldn't even come up... DIGITAL had a watchful employee that saved them from experiencing the same problems. Had someone broken into DEC's Western Research Labs' machines, using information gained from this conference, wouldn't we be at least morally liable for any loss? A good lawyer might even have a few other things to say about it. How much is *your* accounting data worth in computer time billed back to your customers? How much is it worth in helping you manage development costs? How would *you* like to lose, say, a month's worth of the stuff? Whose head would roll then? I am against publishing security-related materials to the world. I understand system managers need to know about problems, but we need some level of assurance that people with "unusual motivation to use such information" will not see it. I know it's tough to regulate the flow of communication on a public network, but one way is to *not* make such information available to whoever bloody well wants it on the receiving end. The possibility of a VAX-MGMT conference has been mentioned before, but perhaps the revelations from CMU and other universities give such an idea greater plausibility. I *do* know I won't submit articles related to security in the future, and I suspect other corporate participants may feel the same. David L. Bolthouse Texas Instruments Defense Electronics Information Systems VAX System Support ma bell: 214-952-2059 csnet: bolthouse%mcopn1@ti-eg.csnet Disclaimer: The views represented herein are mine alone, and do not reflect those of my employer. But you can guess what they think.