Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!seismo!uwvax!oddjob!mimsy!aplcen!osiris!jdia From: jdia@osiris.UUCP (Josh Diamond) Newsgroups: misc.headlines,comp.misc Subject: Re: Hacker Scholarship Message-ID: <1226@osiris.UUCP> Date: Mon, 29-Jun-87 14:06:10 EDT Article-I.D.: osiris.1226 Posted: Mon Jun 29 14:06:10 1987 Date-Received: Wed, 1-Jul-87 03:30:46 EDT References: <2757@mtgzz.UUCP> <345@genesis.UUCP> <532@houxa.UUCP> <1594@celtics.UUCP> Distribution: na Organization: Johns Hopkins Hospital Lines: 67 Keywords: Wozniak, CU, Apple, security Xref: mnetor misc.headlines:764 comp.misc:760 In article <1594@celtics.UUCP>, roger@celtics.UUCP (Roger B.A. Klorese) writes: > ... > Why do people seem to think that the advent of computers has liberated > them from moral education? Electronic crime is still crime. Would you > papplaud your local police picking up street gang members, and, instead of > punishing them, paying them to teach how to perform assaults? I agree > that it is important to beef up security... but this "aren't hackers > cute?" mentality is the MAJOR threat. Someone who destroys a financial > record should be jailed for robbery. It's THAT simple. I don't care > if your tool is a jimmy or a keyboard. Scum is scum, no matter how > high-tech the pond it's floating atop. I seem to recall that there was an episode of Max Headroom where someone describes computer/credit fraud as being "worse than murder". There also was a story written by Isaac Asimov (I think) about someone in a ultra-computerized society who commited computer fraud. His punishment was to be prevented to from using a computer for a year. He was conditioned psychologically to vomit every time he ouched a computer device of any type. I my opinion, a little of all aspects of protection is necessary. A combination of stiffer penalties for computer fraud/vandalism/theft, strong education on the fact that these actions are immoral (or at least illegal -- no flames about "morality" please), and better security procedures. With regards to maintaining better security procedures, these could include (but in no means be limited to) the following ideas: 1) Distribution of random letter combination privaledged passwords at random intervals through secure communication channels. 2) Forcing users to change their passwords regularly. 3) Callback systems to verify the system is being accessed from a known terminal. 4) Implementation of a key card system, in which the user must insert his/her card into a slot in the terminal so that it can be read and verified. Login name and password would still be required, but this would help prevent users from looking over someones shoulder to find out their password and get onto the system. (I believe that IBM already implemented a system like this as an option on their 3270 series terminals). 5) Use of encryption systems (RSA public key preferably) for communication and storage of private data/messages. 6) Keep accurate accounting files tracking all commands/system calls executed. 7) Make sure that all acounts autologout after a relatively short period of idle time (perhaps send a warning message after 30 seconds idle time, then autologout if still no key hit within 30 seconds). This would prevent the "root forgot to log out and left an open terminal as superuser" problem. At one system that I know of, new student and faculty user id's are posted in the computer center. The initial password is always the person's social security number. There are always those users who never change their passwords, leaving a gaping hole in security. There are others who never use their account, leaving it open to anyone who takes the time to figure out the users social security number (not very difficult at a university where SS# doubles as school id number). Spidey! -- DON'T PANIC!!! /\ Josh /\ At last! a //\\ .. //\\ spider that A message from Spidey, and the Spidey Team. ----->>> //\(( ))/\\ looks like Available via UUCP: ...[seismo,mimsy]!jhu!osiris!jdia / < `' > \ a spider!