Xref: utzoo news.admin:3919 news.sysadmin:1231 Path: utzoo!utgpu!watmath!clyde!rcj@moss.ATT.COM From: rcj@moss.ATT.COM Newsgroups: news.admin,news.sysadmin Subject: Re: A *Big* Thank You Message-ID: <36107@clyde.ATT.COM> Date: 9 Nov 88 01:12:41 GMT References: <361@itivax.UUCP> <367@execu.UUCP> <1294@tmpmbx.UUCP> <368@execu.UUCP> Sender: lp@clyde.ATT.COM Reply-To: rcj@moss.UUCP (Curtis Jackson) Organization: AT&T Bell Laboratories, Whippany NJ Lines: 81 In article <368@execu.UUCP> dewey@execu.UUCP (Dewey Henize) writes: }Followups to alt.flame, please. Even if we got the alt groups, I couldn't allow you to make such inflammatory comments in these newsgroups and then skulk off to alt.flame -- you're the one advocating that Bob Morris "face the music"; right now it's your turn! ;-) }Hans, you're a much nicer guy than I am. I learned a long time ago that to }be secure, you close your system off from the outside world, otherwise you }cannot be really secure. Sorry, this didn't really do much in anything like }a nice way. No, you can't be *really* secure. But you can have a relatively secure system without HUGE GAPING holes like the one Bob Morris exploited. }Yes, there are holes - and I'll bet you that while these get patched pretty }darned quickly, there will be more and more as time goes on. So? Does that And why are these holes being patched so quickly? Why weren't they patched before now? Because no one had exploited them *that we know of*, and we were just damned lucky that the first person who did so wasn't malicious. }Think this through. If this clown had really been even remotely inclined to }do anything resembling help people, there are literally hundreds of other }scenarios that he could have chosen. Like what? Name one. You cannot in good conscience expose a major security hole unless you reasonably sure that whoever you tell about it is not only trustworthy, but can be counted on to disseminate the information quickly and reliably to *all* systems that have the hole. If you can look in your Official Internet Directory and give me the number of the Computer Security Agency for All of the Internet then I'll acquiesce. }I know that if someone really wants to, they can go into the parking area here }and slash a few hundred tires. We don't have 24 hour a day security, because }most responsible people know better, and a large part of what's left are also }aware that doing it and getting caught will do bad things to their personal }wealth, freedom, and possibly health. Yes, a few people in the world do that }kind of thing - we call them criminals or outlaws, not 'hackers'. I still Another horribly inaccurate analogy. Let's see if we can rectify that. Let's say everyone has one of those 5-button combination locks on their car doors -- the kind that Ford and others had on luxury cars where you could punch in a 5-number combination to unlock the driver's door, then follow that with another digit to pop the trunk. Now let's say someone comes into your unguarded parking lot full of LOCKED cars, opens everyone's trunk, jacks up each car, takes off each car's rear tires and locks the tires and lug nuts back in the trunk. You all come out and see this and are appalled and outraged. Other owners of the same type of cars are frightened -- how did this person do it? You discover that the maker of the cars, in its infinite carelessness/stupidity, has assigned the same combination to ALL of the cars! Now, each car owner has to unlock the trunk, drag out the tires and lug nuts, and put the tires back on. And each driver goes to a service center at a carmaker X dealership and gets a custom combination. Was time and effort wasted? Yes. Was any damage done? No! Are the cars now completely secure from theft? No. Were many probable future thefts of valuables from locked cars prevented? Yes! It's a bit more complicated than tire-slashing. }If we are lucky, Morris will be sued to the point that his personal fortune }will be totally taken from him and he will be blackballed from anything }even resembling a responsible job for the rest of his life. And also we can }hope that this punishment will be widely publicizes such that the very large }number of people that think this kind of thing is a fun thing to try will }have major second thoughts. I just *love* people who advocate making an example of one particular individual despite the injustice that implies. I hope you get stopped for speeding someday and they decide to give you 5 years in prison so "the very large number of people that think this kind of thing is a fun thing to try will have major second thoughts."