Path: utzoo!utgpu!water!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!mailrus!nrl-cmf!ames!acornrc!asylum!romkey
From: romkey@asylum.UUCP (John Romkey)
Newsgroups: news.sysadmin
Subject: Re: Security checkup
Keywords: Danger Will Robinson
Message-ID: <953@asylum.UUCP>
Date: 5 Oct 88 16:29:54 GMT
References: <1454@lznv.ATT.COM> <233@ssbn.WLK.COM>
Reply-To: romkey@asylum.UUCP (John Romkey)
Distribution: na
Organization: The Asylum; Belmont, CA
Lines: 29

In article <1454@lznv.ATT.COM> ziegler@lznv.ATT.COM (J.ZIEGLER) writes:
>Please, please, please!!  Anyone with knowledge enough to answer
>this question, DO NOT POST IT TO THE NET!!!!  Electronic mail and
>net postings are grossly inappropriate places to discuss security. 

Security through obscurity does NOT work. Over and over again people
have tried to protect their systems through ignorance. If the
information exists anywhere, expect the crackers to find it. If it
isn't written down, expect them to figure it out. It's amazing what
you can do with a manual set, a bored mind and a terminal.

By hiding this information you're not disadvantaging the serious
crackers or even the semi-serious ones. You're only really hurting the
system administrators who could use it to try to protect their
systems.

On the other hand, it would be pretty lame to just send a note in to
net.* about the latest greatest way to break into 4.3 or VMS until
a fix for it has been found and it has been communicated through
some more subtle means.

Also, while it's pretty reasonable to post guidelines about how to
secure systems, people who follow these guidelines should also not
believe their systems are really secure. If your system is connected
to a network or is physically accessible, it's probably not secure.
-- 
			- john romkey
UUCP: romkey@asylum.uucp		ARPA: romkey@xx.lcs.mit.edu
 ...!ames!acornrc!asylum!romkey		Telephone: (415) 594-9268