Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!utgpu!water!watmath!clyde!rutgers!seismo!rochester!cornell!uw-beaver!fluke!kurt From: kurt@fluke.UUCP Newsgroups: comp.misc Subject: Re: Hacker Scholarship Message-ID: <1173@sputnik.COM> Date: Tue, 30-Jun-87 12:10:23 EDT Article-I.D.: sputnik.1173 Posted: Tue Jun 30 12:10:23 1987 Date-Received: Sat, 4-Jul-87 02:11:28 EDT References: <2757@mtgzz.UUCP> <140200002@tiger.UUCP> <7232@mimsy.UUCP> Sender: news@tc.fluke.COM Lines: 45 [ the line eater is a security hole ] No computer system with dialin lines is secure. There is, in the final analysis, no way to prevent an unauthorized user from using a legitimate key to gain access. No computer on a network with any insecure computer is secure. Access to the network can be obtained from the insecure computer. No electronic security is any better than the surrounding physical security, since if one can obtain access to the console, there is often no limit to the things one can do. Computer security is like a castle wall and moat. In the history of castles, those castles with thick stone walls and moats were never stormed successfully, but were frequently taken by treachery or patient seige. There is also a tradeoff between security and convenience. If every action requires a password, computer users will spend 99% of their time typing passwords. The problem of memorizing all these passwords also leads to counterproductive shortcuts like using short, duplicate, or easily memorized passwords for too many things. Tight, rigid security gets in the way of legitimate use of the system. Computer security, like a suit of armor, cannot be made so heavy it prevents movement. No security is absolute. (Most) computer systems are not "wide open". UNIX, for instance, has numerous holes through which a break in may take place, but you still give a name and password to log on. Computer security is like your own home. You have locks on your doors, but windows made of glass. It is a trivial matter to break a window and go in, but breaking and entering is still a crime. The login/password is like a door lock. It can only serve as a reminder that access is restricted. As functioning members of society, we are each responsible to respect the rights of others to lock doors they own, and not try to kick them down just because we can. Password hacking is an unethical activity that violates property rights, privacy rights, and often results in monetary damage. The fact that it is an activity that does not require an investment in tools, and that can be practiced without actually damaging anything does not make it ethical. I am surprised that a university would endorse such unethical activity, but money talks, and this is not the first university to become a moral prostitute. Is there a "need" for password hackers? Does the knowledge of the size and shape of security holes lead to better computers? I would be interested to hear how. In what instances in the past has improved electronic security led to a benefit to society or ended a situation that was detrimental to society? The people I know who "need" electronic security have instead implemented physical security. Bank computers no longer have dialin lines. Defense plants build huge Faraday cages around their computer systems.