Path: utzoo!attcan!uunet!husc6!bu-cs!dartvax!creare!was From: was@creare.UUCP (Wayne Smith) Newsgroups: news.sysadmin Subject: Re: Getting Complacent Message-ID: <853@creare.UUCP> Date: 10 Nov 88 21:37:50 GMT References: <44439@beno.seismo.CSS.GOV> <16742@agate.BERKELEY.EDU> <5366@medusa.cs.purdue.edu> Reply-To: was@creare.UUCP (Wayne Smith) Organization: Creare, Inc. Hanover, NH Lines: 51 In article <5366@medusa.cs.purdue.edu> spaf@cs.purdue.edu (Gene Spafford) writes: >In article <16742@agate.BERKELEY.EDU> weemba@garnet.berkeley.edu (Obnoxious Math Grad Student) writes: >> >>Who cares? Why is it SO IMPORTANT to have the MORAL HIGH GROUND? So >>that you can feel justified about being smug and complacent re security? > >1) Rick (and I and others) are hardly smug and complacent about >security. We're working on it, and have been working on it, for >quite some time, although that is not our primary job. Ah, you're much too modest. I'd say all that work has paid off handsomely. You are much more smug and complacent than you give yourself credit for. 1/4:) >2) Some of us are concerned about ethical issues in addition to >technical issues. Too many people are not concerned with ethics, >professionalism, liability, et. al. Ethical considerations are not going to help secure my installation from theft and vandalism. As many (especially those who would like to see RTM hang) have testified, we can be greatly inconvenienced and even injured by a breach of security. The problem is, as weemba has reiterated, that keeping holes out of the view of the "general public" does not keep them from being used maliciously by vandals, terrorists, etc. It only keeps them from being fixed. Thanks to RTM, a few of these holes were moved into plain view and the general public was forced to stop and look. We screamed at the sight, the thought of falling in, and the inconvenience of having to stop, and together, we demanded that the biggest holes be patched. Unfortunately, some of us think a good way to help keep other holes from being maliciously exploited is to make an example of the person who forced us to look. I think that people like you, Spaf, do the Unix community a disservice by insisting that we are better off not knowing the details of the holes in our own systems. Do you flatter yourself that you can mobilize the likes of DEC, AT&T, HP, Sun, and IBM to go to the trouble and expense of fixing thousands of installed Unix systems when none of their customers know of any specific problem? What kind of secret note can you alone send that will grab their attention and send them scurrying to fix the problem? I am sure that it is people like you who are qualified to find the holes and provide the fixes (with the help of individuals like RTM), but it is WE who motivate and move the market. If WE do not know the problems, their details, and the dangers they present, they will not be repaired. -- Wayne A. Smith Creare Inc. arpa: was%creare%dartmouth.edu@relay.cs.net P.O. Box 71 uucp: dartvax!creare!was Hanover, NH 03755 phone: (603) 643-3800