Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!seismo!ut-sally!husc6!rutgers!sri-spam!mordor!lll-lcc!ptsfa!hoptoad!academ!uhnix1!sugar!peter From: peter@sugar.UUCP (Peter DaSilva) Newsgroups: misc.headlines,comp.misc Subject: Re: Hacker Scholarship Message-ID: <233@sugar.UUCP> Date: Sun, 28-Jun-87 13:26:49 EDT Article-I.D.: sugar.233 Posted: Sun Jun 28 13:26:49 1987 Date-Received: Thu, 2-Jul-87 04:47:07 EDT References: <2757@mtgzz.UUCP> <345@genesis.UUCP> <532@houxa.UUCP> Distribution: na Organization: Sugar Land UNIX - Houston, TX Lines: 100 Keywords: Wozniak, CU, Apple, security Summary: High security is not always desirable Xref: mnetor misc.headlines:804 comp.misc:772 In article <532@houxa.UUCP>, mel1@houxa.UUCP (M.HAAS) writes: > I agree with much of what Andy says, but feel that his anger should > mostly be directed to the people who consciously allow the hackers > to do so much damage. Woz's work was done several generations of > system software and hardware ago. The holes were well know then > and still allowed to exist. They exist now and are still allowed > to exist. Why? Who makes these decisions? Why? The "holes" still exist because the solutions to them usually cause more problems than the holes themselves do. These solutions all serve to further distance the user from the computer, and make the computer less of a useful tool. If Wozniak was really thinking about the situation rather than mouthing sixties platitudes, then he would realise that if people took him seriously the situation would worsen. The United States is a society based on free (that is, unregulated) transfer of goods and services. Anything that serves to interrupt that hurts the country. And... you can find and fix loopholes without becoming a cracker. While I was at Berkeley I discovered a couple of holes in the EECS machine. Both were minor and temporary, but rather than screwing things up and encouraging paranoid measures, I plugged them and left mail to someone responsible. > The DES algorithm is now quite old, but still not used in computer > hardware. Why? The DES algorithm is used in computer hardware where security is important. The UNIX password encryption technique is a deliberately mutated version of the DES algorithm... mutated so that DES chips can't be used in an exhaustive search of likely name spaces. > Call back and random password techniques are readily available, but aren't > used. Why? Because they're a pain. People do not like to remember random passwords, and are more likely to write them down somewhere... which would actually reduce security. Callback is used where necessary, but most of the time users of a machine need to be able to call from multiple and unpredictable places. For example... reporters phoning in a story from a hotel room. > Data communication protocols are well into the standards making procedure, > but don't include encryption capabilities. Why? Because it's neither a necessary nor sufficient technique. It's not necessary because you can always encrpt your data at a higher level, and it's not sufficient because all systems still have to have the keys. If security is broken at one site and the key is discovered you will now be completely open... while still thinking you're secure. On the other hand individual files and parts of files canm be encrypted using a key that's not even stored permanently online *anywhere*. > Our computer systems can be designed to be reliable and fault tolerant, but > still require "superuser" gurus to administer them. Why? Because the set of things that can go wrong is larger than the set of things that can be predicted to go wrong, and because a human is still cheaper than a 500 megabyte AI system. > I think the damage is being done by the people who bury their heads > in the sand and foist these security horrors onto the public, not > the college kid hackers. While you didn't mean that the way I would, I'd have to agree with you. The damage is being done by the people who want to foist excessive security measures onto the public. > Make it so that nothing gets onto any storage hardware in clear text. > Don't allow anyone to get access to the system without their handy-dandy > vest pocket gadget. Don't put anything over any line or cable in > clear text. Don't let anybody, ever, get into the system with > "privileged" access. There are systems that do this. They tend to be slow, cumbersome to use, and at Government sites. > ---- Then, do as Woz suggests, and pay the brightest and best to find holes > in the defenses. This is also done. Have you ever heard of the Navy's "Tiger Teams"? > And pay rewards for being a hacker and learning the next generation of > techniques to cause problems. Pay rewards for reporting problems, not for taking advantage of them... and don't pay so much that you divert too many resources into security. A computer is primarily a tool, not a place to play "wheel wars". > ---- Then DO SOMETHING about the problems, don't let another 12 years or > so go by with heads buryed. That's "buried". Before you do something about the problem, make sure it's costing you more than the solution. Shoplifting could be solved by doing strip- searches of all customers before they leave the store, but it would probably not turn out to be a wise investment. > Mel Haas , odyssey!mel -- -- Peter da Silva `-_-' ...!seismo!soma!uhnix1!sugar!peter (I said, NO PHOTOS!) -- -- Peter da Silva `-_-' ...!seismo!soma!uhnix1!sugar!peter (I said, NO PHOTOS!)