The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #089 [spaf's (and other's) comments] (1 message, 1263 bytes)
SOURCE: http://securitydigest.org/exec/display?f=phage/archive/089.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT

From: dmr@research.att.com
To: phage
Date: Mon 05:02:40 07/11/1988 EST
Subject: spaf's (and other's) comments
References: [Thread Prev: 121] [Thread Next: 092] [Message Prev: 087] [Message Next: 090]

It seems to me that Gene is somewhat missing the point in
some of his comments, and others (in netnews and elsewhere)
are too.  It is simply unrealistic to say that cracking the
Internet and Unix isn't hard, that most people are nice
and so should everyone be, and please report problems
instead of exploiting them.  Of course we need to
encourage reporting, not exploiting, but it is not enough.

The issue really turns more on responsibility.  Unlike PC
viruses that spread via floppies, the recent problem
owed to specific and ultimately simple mistakes that
could have been (and in retrospect should have been)
repaired long ago.  The existence of people willing
to do bad things to our systems has been demonstrated
time and again; it is not enough simply to point out
that they are criminals, whether in the legal or
a more abstract sense.  Rather than writing off the
episode as the work of a criminal, we need to give
more careful thought to defenses against real criminals.
It is worth listening to the conclusions of
the New York Times, observers like Peter Neumann, and
(yes) Bob Morris Sr.  Security can be, and must be,
improved, and inveighing against bad guys just
won't cut it.  Moreover, as I have observed
over and over (and not just in this instance),
merely reporting security problems does not
cause them to be fixed.  This incident was terribly
painful, but it was necessary, and something like
it was inevitable.

I can't resist mentioning Gene's remarks on the Morrises.
It is undeniable that if Robert (Jr) loosed the worm, he was
vastly careless of the likely effects of his actions;
whether he will suffer legal consequences remains to be
seen.  However, especially considering the amount of effort that
Bob (Sr) has spent attempting, against considerable resistance,
to improve the security of Unix, I think Gene's slur on
Bob is inappropriate and irresponsible.  He also said,
"I myself am a computer user but I'm also a father.  That
makes it difficult to separate the two roles, although, of
course, they have to be separated."

		Dennis Ritchie

END OF DOCUMENT