Path: utzoo!attcan!uunet!seismo!sundc!pitstop!sun!decwrl!purdue!mailrus!tut.cis.ohio-state.edu!rutgers!okstate!romed!drd!mark From: mark@drd.UUCP (Mark Lawrence) Newsgroups: news.sysadmin Subject: Re: Security checkup Summary: Whether or not to discuss security on the net Keywords: security intruder self-help Message-ID: <284@drd.UUCP> Date: 5 Oct 88 22:22:15 GMT References: <167@carpet.WLK.COM> <1454@lznv.ATT.COM> <1144@unisec.usi.com> Reply-To: mark@drd.UUCP (Mark Lawrence) Distribution: na Organization: in *this* company!? Lines: 55 Quoting something I've kept around and is now, again, apropo: From: Robert Mathiesen Subject: lockpicking Apropos of Randy D. Miller's surprise that information on lockpicking is so readily available, I cannot resist quoting Charles Tomlinson's Rudimentary Treatise on the Construction of Locks, published about 140 years ago. His words are also relevant to much of the discussion on computer security which has gone on in this Forum. "A commercial, and in some respects a social, doubt has been started within the last year or two, whether or not it is right to discuss so openly the security or insecurity of locks. Many well-meaning persons suppose that the discus- sion respecting the means for baffling the supposed safety of locks offers a premium for dishonesty, by showing others how to be dishonest. This is a fal- lacy. Rogues are very keen in their profession, and already know much more than we can teach them respecting their several kinds of roguery. Rogues knew a good deal about lockpicking long before locksmiths discussed it among them- selves, as they have lately done. If a lock -- let it have been made in what- ever country, or by whatever maker -- is not so inviolable as it has hitherto been deemed to be, surely it is in the interest of *honest* persons to know this fact, because the *dishonest* are tolerably certain to be the first to apply the knowledge practically; and the spread of knowledge is necessary to give fair play to those who might suffer by ignorance. It cannot be too ear- nestly urged, that an acquaintance with real facts will, in the end, be better for all parties. Some time ago, when the reading public was alarmed at being told how London milk is adulterated, timid persons deprecated the exposure, on the plea that it would give istructions in the art of adulterating milk; a vain fear -- milkmen knew all about it before, whether they practised it or not; and the exposure only taught purchasers the necessity of a little scrutiny and caution, leaving them to obey this necessity or not, as they pleased. ..... The unscrupulous have the command of much of this kind of knowledge without our aid; and there is moral and commercial justice in plac- ing on their guard those who might possibly suffer therefrom. We employ these stray expressions concerning adulteration, debasement, roguery, and so forth, simply as a mode of illustrating a principle -- the advantage of pub- licity. In respect to lock-making, there can scarcely be such a thing as dis- honesty of intention: the inventor produces a lock which he honestly thinks will possess such and such qualities; and he declares his belief to the world. If others differ from him in opinion concerning those qualities, it is open to them to say so; and the discussion, truthfully conducted, must lead to public advantage: the discussion stimulates curiosity, and curiosity stimu- lates invention. Nothing but a partial and limited view of the question could lead to the opinion that harm can result: if there be harm, it will be much more than counterbalanced by good." The subsequent development of lockmaking in the course of the next 140 years has long since demonstrated the correctness of Tomlinson's argument in his own field. I do not doubt that it is equally applicable in the area of com- puter security. -- DRD Corporation @ 5506 South Lewis | [uunet!apctrc,romed,tulsun]!drd!mark Tulsa, IT 74105 (918)743-3013 | mlawrence@jarsun1.ZONE1.COM