Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!mailrus!uflorida!novavax!proxftl!twwells!bill From: bill@twwells.uucp (T. William Wells) Newsgroups: news.sysadmin Subject: Re: Being anti-moral (was Re: Getting Complacent) Message-ID: <211@twwells.uucp> Date: 27 Nov 88 06:41:07 GMT References: <44439@beno.seismo.CSS.GOV> <16742@agate.BERKELEY.EDU> <5366@medusa.cs.purdue.edu> <172@twwells.uucp> <13150@ncoast.UUCP> Reply-To: bill@twwells.UUCP (T. William Wells) Organization: None, Ft. Lauderdale Lines: 95 In article <13150@ncoast.UUCP> allbery@ncoast.UUCP (Brandon S. Allbery) writes: : As quoted from <172@twwells.uucp> by bill@twwells.uucp (T. William Wells): : +--------------- : | [about Weemba] : | Mr. Spafford, you have been most reasonable in this debate; don't you : | think that it is a good idea to stop encouraging this ethical midget : | to post? : +--------------- : Much as it may annoy you, Weemba has a good point to make about this whole : thing. (I do admit that his language is, as usual, almost(?) enough to : obscure the point he's trying to make.) Let me see. After perusing what postings remain of his (slogging through sewage would have been more pleasant), I see four points he is trying to make: 1) The Worm did us a favor by pointing out a security hole and by increasing awareness of security issues. 2) It is no good blaming or prosecuting The Worm because that doesn't accomplish anything. 3) Existing systems are not secure enough and this must change. 4) Things like The Worm should be done more often, to force people to make their systems more secure. Did I miss anything important? 1) It is true that The Worm did point out a security hole. It is even arguable that he increased awareness of security issues, though I believe that this is only a passing fad. But. The cost of his method of pointing out the security hole is, I imagine most sysadmins would agree, much greater than it had to be. The counter-argument that no one would listen to the other methods of presenting the hole is so much hogwash; I'll not spend time (in this posting) re-explaining what's wrong with this opinion. 2) It certainly won't replace the kilohours of other's time spent by The Worm. Nor, by itself, will it prevent the future abuse of systems by crashers. However, it will certainly raise the perceived cost of crashing, with the effect of reducing the number and maliciousness of crashers. 3) The systems are exactly as secure as the various people who are responsible for them believe, all things considered, they should be. Security has its costs; system administrators have the current level of security as a consequence of balancing the perceived cost of security over the perceived benefits of security. This is a value judgement; Weemba the Mouth is certainly not competent to make it for them. As to whether system administrators would make their systems more secure if they could, I imagine that most would; but that decision, and its implementation, belongs to them and not to Weemba. 4) If someone makes it a practice to exploit network security holes on a regular basis, you can expect that most systems will either be removed from the net, or will be given an interface to the net that, while it will screen out most security infringements, will also make the net much less useful to the users. Economics virtually guarantees that result, at least till technology makes it possible, if ever, to have a secure network. Let me put it this way: if some virus, worm, or what have you were to come in over the net on a regular basis, we at Proximity would simply disconnect from the net. Period. We can't afford to have our machines put down by such problems; the value of net access doesn't even come close to the cost of recovering from them. Are we unique? I don't think so. The attempt to *force* security on the net will simply result in the fragmentation of the net. Screwing over relatively unsecure systems seems to be the core of the Mouth's position: that since system administrators, vendors, and others do not, in his overweening opinion. care enough about security, they should be *forced* to care about it. Since there is no legal compulsion available, one ought to pound on existing security holes till the systems are as secure as the Mouth would like them to be. Like I said. Weemba the Mouth is not competent to make ethical judgements, yet that is exactly what he is doing. Well, he's entitled to his own incompetence, but we ought not to pay any attention to his rantings. --- Bill {uunet|novavax}!proxftl!twwells!bill