Path: utzoo!utgpu!attcan!uunet!husc6!bloom-beacon!apple!bionet!agate!garnet!weemba From: weemba@garnet.berkeley.edu (Obnoxious Math Grad Student) Newsgroups: news.sysadmin Subject: Re: The viral high ground--go for it while I puke in the corner Message-ID: <16800@agate.BERKELEY.EDU> Date: 10 Nov 88 12:36:37 GMT References: <16672@agate.BERKELEY.EDU> <7882@bloom-beacon.MIT.EDU> Sender: usenet@agate.BERKELEY.EDU Reply-To: weemba@garnet.berkeley.edu (Obnoxious Math Grad Student) Organization: Brahms Gang Posting Central Lines: 82 Supersedes: <16799@agate.BERKELEY.EDU> In-reply-to: tytso@athena.mit.edu (Theodore Y. Ts'o) In article <7882@bloom-beacon.MIT.EDU>, tytso@athena (Theodore Y. Ts'o) writes: >In article <16672@agate.BERKELEY.EDU> weemba@garnet.berkeley.edu (Obnoxious Math Grad Student) writes: >>What the HELL does that matter? Are you going to run around with your >>heads in the sand over and over again, yelling "ain't my fault our locks >>are all ten years out of date"? What does it take to wake you folks up? >Stuff like this makes me wish that news.admin _WAS_ moderated. Sigh. [I'll pretend that this is news.admin for the sake of argument.] Why? You think it's essential that everyone play kiss ass yup yup yup regarding security? >>Ooooh. A sense of responsibility and social mores? So you can declaim >>from the moral high ground when ARPANET goes belly up three years from >>now? How about a sense of intelligence and security to go with it? >Repeat after me three times. "The ARPANET cannot be made secure." Got >it? Now repeat it three more times. Of course it can't be made secure. But it could be a hell of a lot more secure than it is now. A HELL of a LOT more. Complaining about RTM's lack of ethics is not the way to make it more secure. Got it yourself? > So what are we >going to do about it? We have to deter people from doing anti-social >things --- either by giving them a sense of ethics or stringing up >people who do these things. Why do you sneer at ethics so? Because I don't believe that ethics will work. People aren't going to get much of a way of ethics, and the stringing up of RTM you all keep foaming for is bloody unlikely. >In a previous article, you said that the virus/worm should be released >every month to keep sysadmins on their toes. No, not to keep sysadmins on their toes. To get them--and their bosses-- and maybe thus their vendors--to start making security a serious priority. And not an afterthought. And I've only floated it up as an idea for kicking around, not a mandate about what SHOULD be done. You'll recall that I used the word "drill", as in FIRE DRILL. I didn't ask for genuine FIRES. > Well, how about this: >every month, someone will randomly spray your office with machine gun >fire. That'll teach you to wear bullet-proof vests! These "proofs" by analogy are always so ludicrous. Is random machine gunning of offices an almost certainty? Maybe over in Lebanon, but not here in the USA. In contrast, is more computer cracking a certainty? YES... What are you going to argue next? That fire drills be cancelled at schools? That earthquake drills not be held here anywhere in Cali- fornia? After all, it's just as easy for you to compare these drills to your machine-gun analogy. >I was up all night thursday fighting this thing; I'm not inclined to >think it was a "harmless prank" or an "effective way to wake us up" I never claimed that it was a "harmless prank". (By the way, if you think this news.admin ought to be moderated, why do you engage in such blatant lying? Is this what Gene Spafford calls "professionalism"?) Nor did I ever claim that the Morris worm was an effective way to wake people up, other than some early theorizing before the facts were in. I'd *LIKE* to see it become such in retrospect, but the large number of people thinking "OK, I fixed the sendmail bug, let's nuke the bas- tard so that no one will ever do this again" makes me doubt this. > just as you wouldn't think that my shooting your feet off would >be a good way to remind you to wear bullet-proof armor all the time. Ignoring the fact that your analogy is indeed irrelevant, note that I'm NOT suggesting that anything crippling be done--just something that keeps security a high company/university/institute priority across ARPANET and elsewhere. I simply do not expect this attitude to come voluntarily. ucbvax!garnet!weemba Matthew P Wiener/Brahms Gang/Berkeley CA 94720