The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #093 [Re: spaf's (and other's) comments] (1 message, 972 bytes)
NOTICE: recognises the rights of all third-party works.


From: comer (Douglas Comer)
To: phage
Date: Mon 09:00:32 07/11/1988 EST
Subject: Re: spaf's (and other's) comments
References: [Thread Prev: 139] [Thread Next: 095] [Message Prev: 092] [Message Next: 094]


   While I agree with most of what you said, I think it sets
the wrong tone by implying that "we deserved it, and it will be
good for us."  We didn't.  It won't.  First, Because we're human
such subtle mistakes will happen no matter how careful we attempt
to be.  We cannot condemn the community as irresponsible because
a programmer introduced a security "hole" when he/she forgot to
check array bounds.  Second, as I have pointed out before, we have
extremely powerful communication primitives like rsh and it would
be a mistake to limit scientific experimentation with such primitives
just to make our systems tamperproof.  Certainly, this episode will
not be "good" for us -- if anything, it will have negative impact
on the freedom to experiment with new distributed system facilities.

   A good analogy can be drawn with vending machines.  When they
were introduced, vandals could smash them with a hammer and take all
the cash and/or product.  Things didn't change until the government
made it a federal offense to break into them (and required owners to
take reasonable precautions like not using glass cases).  While
vandals can still grab entire vending machines in a pickup truck, the
stiff criminal penalties make it very unattractive.  The same will be
true about networks and computers: we need it to be treated as a
serious crime, to deter vandals.