Path: utzoo!attcan!uunet!husc6!rutgers!apple!bionet!agate!garnet!weemba From: weemba@garnet.berkeley.edu (Obnoxious Math Grad Student) Newsgroups: news.sysadmin Subject: Re: The viral high ground--go for it while I puke in the corner Message-ID: <16843@agate.BERKELEY.EDU> Date: 11 Nov 88 09:12:09 GMT References: <16800@agate.BERKELEY.EDU> <425@rhesus.primate.wisc.edu> Sender: usenet@agate.BERKELEY.EDU Reply-To: weemba@garnet.berkeley.edu (Obnoxious Math Grad Student) Organization: Brahms Gang Posting Central Lines: 50 In-reply-to: bin@rhesus.primate.wisc.edu (Brain in Neutral) In article <425@rhesus.primate.wisc.edu>, bin@rhesus (Brain in Neutral) writes: >But if your "drill" isn't crippling, then it won't accomplish its >intended end. Because if it's not crippling, it can be (and would >be) ignored. >I suspect that such drills could even be dangerous, in the sense that >they could easily come to be viewed as the boy crying wolf. Then when >the real virus comes in (and of course it will initially mimic a drill), >all the sysadmins will yawn and say, "Oh, another drill. Hm." I only consider my proposal a first thought. Thanks for a technically oriented response. I can only hope that just a few such drills would be needed to convince people that security should be viewed seriously, not as something to patch on at the end, or to trust to ethics or a hoped-for anti-Morris verdict. >Also, it seems to me that belittling the value of ethics is defeatist. I don't see why being defeatist or not matters. Personally, I think of myself as somewhere between cynical and realistic. Anyway, I've been called worse in the past. How many sites would be wiped out if a fire hit your computer room? Are your backups in the same room as your disks and computers? This is a small potatoes question that could have big potatoes consequences, yet this kind of thinking is routinely just not done. You have to approach security in the same way. As summarized in RISKS, eg, "gets" has long been known to be a bug wait- ing to happen--and it did with the fingerd attack--yet backward-compati- bility was viewed as more important than closing this bug for the longest time. I hope to see this kind of thinking go extinct. >You yourself concur that the net will not be made totally secure, but >can be made *more* secure. It seems reasonable that a greater degree >of ethical behavior (instilled, say, by highly adverse consequences for >unethical behavior) would also make the net *more* secure, even though >not totally secure. Making theft possible only for those with the heaviest of hardware does more, I hazard, then teaching kids to "just say no" to stealing. That is, I envision some kind of security wall that discourages those with slowly maturing ethics, just by making it not worth the effort for most crackers. ucbvax!garnet!weemba Matthew P Wiener/Brahms Gang/Berkeley CA 94720