Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!uunet!husc6!bloom-beacon!oberon!cit-vax!ucla-cs!zen!ucbvax!LLL-ICDC.ARPA!OBERMAN From: OBERMAN@LLL-ICDC.ARPA ("Kevin Oberman, LLNL, 422-6955, L-156", 415) Newsgroups: comp.os.vms Subject: Re: Hackers - Article in British Press Message-ID: <8709171525.AA14605@ucbvax.Berkeley.EDU> Date: Wed, 16-Sep-87 11:03:00 EDT Article-I.D.: ucbvax.8709171525.AA14605 Posted: Wed Sep 16 11:03:00 1987 Date-Received: Sat, 19-Sep-87 14:43:53 EDT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The ARPA Internet Lines: 61 >This was printed as the lead story in "The Guardian" of Tuesday 15th >September. It's a follow up to the **Important Message** posted at >the beginning of August. Aren't the mistakes cute ! (Story omitted) While the mistakes are `cute', the large part of the story seems accurate. Namely that several systems were compromised and that, while the hackers didn't seem to make any effort to be destructive, the next such crackers may NOT be so nice! While the network was not "Top Secret", or even classified, the users of the system involved must be aware that a great deal of valuable data was a few keystrokes from destruction. And even if the files were all recoverable from BACKUPs, the time lost and disruption of normal operations would have been high. Even without distruction of any data, the system users have most certainly been inconvenienced a great deal in the effort to determine exactly what has happened. And the lives of network and system management personnel all over the world will just be made more difficult as security departments and upper management seek assurance that it can't happen to them. And I'm not willing to make that assurance. It looks to me that it can happen to anyone on any system with connections to a reasonably large network. While most breakins can be attributed to `lax system security', that's like attributing most airplane crashes to `pilot error'. While the final responsibilty rests with system management personnel, it is important to remember that we all make mistakes and the next breakin might be into your system (or mine). Don't just think that breakins only happen to the other guy! Every manager must keep up to date on what is happening in items related to system security and every organization must determine how much time and money they are willing to pour into the problem. I'm not sure that any amount of money or effort can make a system on a large network (such as SPAN or the Internet) really secure. At best it makes it secure from the attacks seen in the past. But hackers are sometime bright, imaginative people. And time is not always as important to them as it is to you. They WILL come up with new schemes for getting where they don't belong. Stories like the one from the Gaurdian just make the hackers of the world anxious to see if they can do the same thing! Please! No flames on my use of the term `hacker'. We've been through that before! I've rambled a bit and tossed in some personal opinions that all may not agree with, but I think that I think that a number of the issues are ones that both computer management personnel and their bosses should be thinking about. Thanks for your time, R. Kevin Oberman Lawrence Livermore National Laboratory arpa: oberman@lll-icdc.arpa (415) 422-6955 Disclaimer: These opinions are mine. With any luck my boss will never find out about them. And if he does, he'll probably chalk them up to too much time spent in front of a terminal. I'm a rotten typist and a worse speller, so forgive any silly errors.