Path: utzoo!utgpu!attcan!uunet!lll-winken!lll-tis!helios.ee.lbl.gov!pasteur!agate!bionet!apple!bloom-beacon!mit-eddie!uw-beaver!cornell!batcomputer!itsgw!imagine!pawl11.pawl.rpi.edu!night From: night@pawl11.pawl.rpi.edu (Trip Martin) Newsgroups: news.sysadmin Subject: Re: Possible Fines for Virus Perpetrator Message-ID: <1676@imagine.PAWL.RPI.EDU> Date: 8 Nov 88 02:56:10 GMT References: <456@l5comp.UUCP> <12081@dscatl.UUCP> <16600@agate.BERKELEY.EDU> <5332@medusa.cs.purdue.edu> Sender: news@imagine.PAWL.RPI.EDU Reply-To: night@pawl11.pawl.rpi.edu (Trip Martin) Distribution: na Organization: RPI Public Access Workstation Lab, Troy, NY Lines: 84 In article <5332@medusa.cs.purdue.edu> spaf@cs.purdue.edu (Gene Spafford) writes: >That attitude is completely reprehensible! That is the exact same >attitude that places the blame for a rape on the victim; I find it >morally repugnant. And by this same logic, someone who walks into the middle of a battlefield isn't at fault if he gets shot. We do have to take precautions if we expect to be reasonably safe from life's disasters. > >Consider an analogy: > >Locks built in to the handle of a door are usually quite poor; >deadbolts are a preferred lock, although they too are not always >secure. These standard, non deadbolt locks can be opened in a few >seconds with a screwdriver or a piece of plastic by someone with little >training. > >Now, if you have such a lock on your door, and you wake up in the >middle of the night to find that a stranger has broken into your home >and is wandering about, bumping into things in the dark and breaking >them, how do you react? Do you excuse him because the lock is easy to >circumvent? Do you thank him because he has shown you how poor your >locks are? Do you think *you* should be blamed because you never got >around to replacing the lock with a better one and installing a >burgler alarm? > Okay, suppose a bank follows this logic and has generally poor locks on their place of business. While the guy who breaks into a bank is still a criminal, the bank is also to blame, since it holds lots of money and is a very attractive target to criminals. Security should be a function of the value of the objects being protected. Now think about how valuable the information stored on your computer is... If you don't think that there are people who would love to get their hands on that information, or use your computer for their own purposes, you have another thing coming... Add to this the fact that the internet offers an unlimited supply of computers to hack and steal from... Now from the logic from a paragraph ago, we should be taking great pains to see that people can't get into our systems. While it won't stop the determined hacker, like bank security systems won't always stop the determined criminal, it will go a long way in stopping the casual hacker. And that alone could save us lots of grief. >We have failed to imbue society with the understanding that computers >contain property, and that they are a form of business location. If >someone breaks our computers, they put us out of work. If someone >steals our information, it is really theft -- not some prank gone >awry, and it certainly isn't some public service! You think that kind of logic is going to stop a criminal with real goals? The idea that murder is a serious crime has been passed down for thousands of years, yet that hasn't stopped people from doing it. What this guy did was a crime, but he also did us a real service. He got our attention in a big way. He succeeded in breaking into hundreds of computers in a matter of days. Next time the intrusion may not be so obvious, nor the damage done... >We cannot depend on making our systems completely secure. To do so >would require that we disconnect them from each other. There will >always be bugs and flaws, but we try to cover that by creating a sense >of responsibility and social mores that say that breaking and cracking >are bad things to do. Now we have to demonstrate to the world that >this is the case, and we will back it up with legal action, or we'll >continue to risk having bored students and anti-social elements >cracking whatever we replace the systems with until there is no longer >any network. Relying on social mores to protect your systems is a sorry policy. We certainly should have stiff legal penalties for hacking, but as everyone knows, to be punished, you have to be caught. And catching hackers can often be near impossible. -- Trip Martin night@pawl.rpi.edu userffs7@rpitsmts.bitnet Trip Martin night@pawl.rpi.edu userffs7@rpitsmts.bitnet