Path: utzoo!utgpu!jarvis.csri.toronto.edu!cs.utexas.edu!mailrus!accuvax.nwu.edu!nucsrl!telecom-request From: john@bovine.ati.com (John Higdon) Newsgroups: comp.dcom.telecom Subject: The Wrong End of the Telescope Message-ID: <4262@accuvax.nwu.edu> Date: 22 Feb 90 03:54:49 GMT Sender: news@accuvax.nwu.edu Reply-To: John Higdon Organization: TELECOM Digest Lines: 62 Approved: Telecom@eecs.nwu.edu X-Submissions-To: telecom@eecs.nwu.edu X-Administrivia-To: telecom-request@eecs.nwu.edu X-Telecom-Digest: Volume 10, Issue 123, Message 2 of 5 In TELECOM Digest Volume 10 : Issue 118 you write: > People just can't seem to grasp the fact that a group of 20 year old > kids just might know a little more than they do, and rather than make > good use of us, they would rather just lock us away and keep on > letting things pass by them. I've said this before, you cant stop > burglars from robbing you when you leave the doors unlocked and merely > bash them in the head with baseball bats when they walk in. You need > to lock the door. But when you leave the doors open, but lock up the > people who can close them for you another burglar will just walk right > in. I heartily agree. The standard mode is to develop new technology, or new uses for existing technology and give little or no thought how you keep it secure for the users. In the early days of any new procedure, the security rests in the reality that few people even know that such a thing exists. But this form of "security" is fleeting, since it takes little time for the curious to discover it and to find its weaknesses. Then phase two of the standard mode kicks in, and the developers and users manage to convince law enforcement authorities that criminal minds are at work when their technology is breached. Can you imagine the indignation and anger of someone who has discovered that his small business is being answered after hours by an outgoing announcement on the machine that is full of obscenities? The business owner would certainly be thinking to himself, "There ought to be a law...". But what he should be reflecting upon is the silliness of relying on two-digit "security" code to protect him from such pranking. This applies to computers, telephone systems, in fact everything. Those who leave their systems "open" to the public should expect the curious to enter and look around. Banks don't keep their negotiable instruments in a closet secured with a hasp and padlock, then expect the police to go after everyone that makes off with the goods. They use concrete and steel vaults secured with sophisticated time locks. Sure, even these can be broken into, but it requires the resources beyond the casual criminal. Likewise, there are computer systems that are, indeed, relatively secure, and entry to these systems is beyond the means of the average hacker. I don't for one minute think that any hacker would be interested in any of my stuff, but I take reasonable precautions to prevent casual entry. My client's DISA is protected with a seven-digit code that allows one attempt and then hangs up if unsuccessful. Likewise my Watson is protected with a long code. I review the logins on my computers daily and change the root passwords regularly. For any commercial or government entity to do less is in itself criminal. To then go after "hackers" for simply walking in the relatively open door and prosecute them is an offense. A little story: A few years ago, I was dialing around in the "test number" area looking for interesting test numbers and happen to stumble on one that returned this message: "Your number has been recorded and you will be billed for this call. Also, your parents will be notified." I didn't stop laughing for a week. John Higdon | P. O. Box 7648 | +1 408 723 1395 john@bovine.ati.com | San Jose, CA 95150 | M o o !