The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #095 [Re: spaf's (and other's) comments] (1 message, 1505 bytes)
NOTICE: recognises the rights of all third-party works.


From: Gene Spafford <spaf>
To: phage
Date: Mon 09:50:20 07/11/1988 EST
Subject: Re: spaf's (and other's) comments
References: [Thread Prev: 093] [Thread Next: 097] [Message Prev: 094] [Message Next: 098]

In fact, there is perhaps a better analogy.

Locks built in to the handle of a door are usually quite poor;
deadbolts are a preferred lock, although they too are not always
secure.  These standard, non deadbolt locks can be opened in a few
seconds with a screwdriver or a piece of plastic by someone with little

Now, if you have such a lock on your door, and you wake up in the
middle of the night to find that a stranger has broken into your home
and is wandering about, bumping into things in the dark, thus breaking
them, how do you react?  Do you excuse him because the lock is easy to
circumvent?  Do you thank him because he has shown you how poor your
locks are?

Later, if it turns out that the intruder was a bright college student,
son of a policeman, and his father was quoted in the papers as saying
"It was the work of a bored graduate student.  This will ultimately be
a good thing because people will improve the security of their homes."
wouldn't you wonder what the hell that policeman was doing on the

I didn't mean to slur Robert Morris, Sr.  He has demonstrated
competence and professional behavior in the past. However, if his
attitude is really as was expressed in the newspaper article, then I am
distressed.  I would hope somebody with his background and position
would stress how serious this was, not that it might be a "good
thing."  I hope it was simply a case of a distraught father being
partially quoted by the Times.

We have failed to imbue society with the understanding that computers
contain property, and that they are a form of business location.
If someone breaks our computers, they put us out of work.  If someone
steals our information, it is really theft -- not some prank gone
awry.  If someone broke into the NYT and vandalized their printing
presses, it would not be dismissed as the work of a bored college
student, and even if it was the son of the editor, I doubt anyone
would make a statement that "It will ultimately be a good thing --
we'll be forced to improve our security."

We cannot depend on making our systems completely secure.  To do so
would require that we disconnect them from each other.  There will
always be bugs and flaws, but we try to cover that by creating a sense
of responsibility and social mores that say that breaking and cracking
are bad things to do.  Now we have to demonstrate to the world that
this is the case, and we will back it up with legal action, or we'll
continue to have bored students and anti-social elements cracking
whatever we replace the systems with until there is no longer any