Path: utzoo!utgpu!water!watmath!clyde!att!lzaz!lznv!ziegler
From: ziegler@lznv.ATT.COM (J.ZIEGLER)
Newsgroups: news.sysadmin
Subject: Re: Security checkup
Summary: All right, here's what I really said.
Keywords: security intruder self-help
Message-ID: <1458@lznv.ATT.COM>
Date: 7 Oct 88 15:56:05 GMT
References: <167@carpet.WLK.COM> <1454@lznv.ATT.COM> <1834@ddsw1.MCS.COM> <2985@mipos3.intel.com>
Distribution: na
Organization: AT&T ISL Lincroft NJ USA
Lines: 46

I'm tired of flames in my mailbox.  What I said was simply that
news postings and email are inappropriate places for discussing
security.  I DID NOT SAY THAT SUCH THINGS SHOULD NOT BE DISCUSSED
OPENLY.  There are three main problems that I see with discussing
such things via news or email:

	1) Not everyone who posts responses is knowledgeable
	   about computer security, including many of those
	   who think they are.  Some of the advice will be
	   wrong, and could lead to less security, not more.
	   It is not possible to police this, so your best
	   approach as a sysadmin is to ignore any security
	   advice from someone you don't know and trust.

	2) Such communications methods are not secure, and
	   correct information could be modified in transit
	   such that the recipient is not getting valid
	   advice, but is being misled.  See above.  This
	   applies even if you are mailing to root, as someone
	   suggested, so I don't recommend that approach.

	3) Not all sysadmins are competent, and certainly
	   not all of them read the net.  You have to weigh
	   the expected advantage of posting such information
	   against the expected disadvantage.  I'm afraid
	   that many more "crackers" than sysadmins will be
	   reading the net, and I quite frankly don't want
	   to give them ANY assistance whatsoever.  If I
	   felt that a net posting would prevent far more
	   breakins than it would cause, I would be all
	   for it.  At this particular point in time, I
	   believe just the opposite to be true.

I do not advocate, nor have I ever advocated, secrecy and ignorance
as a method of computer security.  I know that it doesn't work.  My
goal is to protect the innocent and avoid helping the guilty.  It
appears that my previous posting was in fact not "'Nuff said".  I
hope this is.  If you wish to discuss the philosophy of discussing
security with me, send me email, don't clog the net.  And don't
bother flaming me.  I won't answer.

			Joe Ziegler
			AT&T Bell Laboratories
			Lincroft, New Jersey
			(201) 576-2945
			att!lznv!ziegler