Path: utzoo!attcan!uunet!lll-winken!lll-tis!helios.ee.lbl.gov!pasteur!ucbvax!husc6!purdue!spaf@cs.purdue.edu From: spaf@cs.purdue.edu (Gene Spafford) Newsgroups: news.sysadmin Subject: Re: Possible Fines for Virus Perpetrator Message-ID: <5347@medusa.cs.purdue.edu> Date: 8 Nov 88 13:53:03 GMT References: <456@l5comp.UUCP> <12081@dscatl.UUCP> <16600@agate.BERKELEY.EDU> <5332@medusa.cs.purdue.edu> <1676@imagine.PAWL.RPI.EDU> Sender: spaf@cs.purdue.EDU Reply-To: spaf@cs.purdue.edu (Gene Spafford) Distribution: na Organization: Department of Computer Science, Purdue University Lines: 80 In article <1676@imagine.PAWL.RPI.EDU> night@pawl11.pawl.rpi.edu (Trip Martin) writes: >And by this same logic, someone who walks into the middle of a >battlefield isn't at fault if he gets shot. Whoa there... that's nonsense. Are you equating working with computers to war? If so, you have a view pretty different than mine, and I suspect quite different from most people. We don't sign on to the computer expecting a worm or virus to have corrupted the system. I expect some disasters like disk crashes and power outages, but criminal vandalism is not expected behavior in this venue. >Okay, suppose a bank follows this logic and has generally poor locks >on their place of business. While the guy who breaks into a bank is >still a criminal, the bank is also to blame, since it holds lots of >money and is a very attractive target to criminals. Security should >be a function of the value of the objects being protected. I sure hope you never serve on a jury for a criminal trial. In both law and philosophy, the bank is *not* to blame. Simply because they don't have a vault adequate to stop a certain class of criminal does not make them to blame in any way. No matter how good the vault is, enough criminals and enough determination can be found to crack it and that does not put any blame on the bank. To say otherwise is to say that victims are always culpable for the crime -- and that is both ludicrous and insulting. >Now think about how valuable the information stored on your computer >is... If you don't think that there are people who would love to get >their hands on that information, or use your computer for their own >purposes, you have another thing coming... Add to this the fact that >the internet offers an unlimited supply of computers to hack and steal >from... You are espousing the philosophy of the cracker, not that of a responsible user. This is my work environment, not some unlimited playground for immature individuals. And the information on my computer is of interest to very few, if any, people >>We have failed to imbue society with the understanding that computers >>contain property, and that they are a form of business location. If >>someone breaks our computers, they put us out of work. If someone >>steals our information, it is really theft -- not some prank gone >>awry, and it certainly isn't some public service! > >You think that kind of logic is going to stop a criminal with real >goals? The idea that murder is a serious crime has been passed down >for thousands of years, yet that hasn't stopped people from doing it. Get real!! Breaking into computers is a different kind of crime than murder. Murder is usually a spur-of-the-moment crime. Further, I didn't claim that we should protect our systems *only* with education and public mores. But if we don't emphasize that outlook, no matter how much security we try to put into place we won't have reasonably safe systems because there will be no reason for crackers not to try. >What this guy did was a crime, but he also did us a real service. >He got our attention in a big way. He succeeded in breaking into >hundreds of computers in a matter of days. Next time the intrusion >may not be so obvious, nor the damage done... So? Some of us have found or been one of the first to be informed of ways to break into Unix systems. We could have broken into hundreds of systems, but instead arranged to inform people of how to plug the holes. Who has done the bigger service? >Relying on social mores to protect your systems is a sorry policy. We >certainly should have stiff legal penalties for hacking, but as everyone >knows, to be punished, you have to be caught. And catching hackers >can often be near impossible. I never proposed that we rely solely on mores to protect our systems. However, we need to emphasize that aspect more than we have. Certainly we need to take a more formal approach to securing our systems, but as I said before we can *never* completely secure our systems if we wish to continue the Internet. As long as computers are connected together and users allowed on them, there will be ways to break "security." What we want is to increase the level of trust as well, and that includes trusting other users. I'd much rather make it clear that hacking is just plain wrong rather than have to punish someone after the fact -- it is a better path for everyone involved.