Path: utzoo!yunexus!geac!daveb
From: daveb@geac.UUCP (David Collier-Brown)
Newsgroups: comp.unix.questions
Subject: Re: wiretapping techniques
Message-ID: <3079@geac.UUCP>
Date: 27 Jul 88 12:14:20 GMT
Article-I.D.: geac.3079
References: <16625@brl-adm.ARPA>
Organization: GEAC Computers, Toronto, CANADA
Lines: 34

From article <16625@brl-adm.ARPA>, by roberts@cmr.icst.nbs.gov (John Roberts):
> I think that open discussion of weak points and breakin techniques is likely
> to cause much more harm than good, 

   Only in the short run!

   Regrettably, people are human.  If you want a given level of
security (of data) and don't have it, you typically have to
**demonstrate** that you don't have it.  However, to demonstrate
this you have to threaten security... yourself.

   This can get you in trouble.  In fact, the test to prove that you
**do** have a given level of security can get you in trouble! 

  One of the basic tenets of "orange book" security is that the
means used to ensure security are to be publicly known.  This does
not extend to detailed schematics of hardware to open a covert path,
but it does strongly suggest that known weaknesses should be
reported.  
  Have a look in the security discussion group, the literature of
computer security, etc. for further support of "security by design,
not by obfustication"...


 --dave (B1 on a workstation) c-b

ps to John: sorry if this sounds like a flame: It's not, it's just 
a common-mode error that I get **real** annoyed at hearing
made again and again... (:-{)
-- 
 David Collier-Brown.  {mnetor yunexus utgpu}!geac!daveb
 Geac Computers Ltd.,  |  Computer science loses its
 350 Steelcase Road,   |  memory, if not its mind,
 Markham, Ontario.     |  every six months.