Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!seismo!husc6!rutgers!topaz.rutgers.edu!brandx.rutgers.edu!webber From: webber@brandx.rutgers.edu (Webber) Newsgroups: comp.misc Subject: Re: Hacker Scholarship Message-ID: <265@brandx.rutgers.edu> Date: Sun, 28-Jun-87 06:28:56 EDT Article-I.D.: brandx.265 Posted: Sun Jun 28 06:28:56 1987 Date-Received: Sun, 28-Jun-87 09:48:24 EDT References: <2757@mtgzz.UUCP> <140200002@tiger.UUCP> <7232@mimsy.UUCP> Organization: Rutgers Univ., New Brunswick, N.J. Lines: 49 Summary: computer security is necessary even in a friendly environment In article <7232@mimsy.UUCP>, mangoe@mimsy.UUCP (Charley Wingate) writes: > Randy Davis writes: > > > This is getting pretty stupid. There are only a finite number of security > >holes. .... How on earth do you count the number of security holes? If I fix them all in one login does that mean there was only one? Most systems just have one logical error, i.e., some one thought they were ready to ship. > >..., wake up to the real world. Ignoring them and acting as if law > >enforcment will eradicate computer security holes is pretty ridiculous. > > There are two errors here. > > There first is that there is ALWAYS a security hole. For starters, there is > the front door of the system. Security systems are not like full body > armor; they are more like shields, and there is always someone clever enough > to figure out either how to go around or how to exploit the necessary holes > in the system. ... Sigh. Physical security is not what is at issue here. Surely none of the `Hacker Scholarships' are given for mounting an armed attack on a computer installation. The lack of computer security greatly reduces the utility of computers. Due to its lack, no sensible person can keep important records on the computer or use the computer (and related communication technology) for the transfer of important information (the fact that foolish people have greatly over-exposed the economic institutions of some countries, such as the U.S.A., is reason to fire the fools and pull out of the mistake rather than a reason to seek a legislative solution to a technical nightmare). Even when no one is trying to corrupt the data on a system, the lack of security features also makes even isolated standalone systems difficult to use. Every time a bug in a piece of code written by an unprivilaged user crashes a system, you are seeing a security loophole that is causing a problem even though there is no issue of `criminal intent' involved. On a large timesharing system, such `bugs' can be a real pain to track down :-) ------ BOB (webber@aramis.rutgers.edu ; rutgers!aramis.rutgers.edu!webber) How many people use dr-xr-xr-x to make sure they don't accidently delete the files themselves? How many security holes were found by people that were not looking for security holes but were just trying to get their work&U'&U'&