Security or what?


Michael T. Stolarchuk (mts@emptys.cc.umich.edu)
Tue, 07 Apr 87 16:37:31 EDT


I'm suprised about messages I receive where the intent
of the author is to raise my consciousness by making me angry.
What usually happens is this -- I get angry.

So is the case with the message from Mark Crispin.

        The philsophy behind Unix largely seems quite reminiscent of the
        ... "security through obscurity;"

The only security is through obscurity. It is precisely the lack of
information which secures some system. As an example, consider publishing
the passwords of all the accounts on a system, or the private parts of
DES pair.

        entrust our systems and data to a open-ended set of youthful
        hackers (the current term is "gurus") who have mastered the
        arcane knowledge.

I'm confused here about the term youthful hackers. Is youthful under 18?
under 25? under 35? under 45? I know of many excellent programmers
in all age groups. I also know malicious usage has no age range.

Mark, if you are a manager, have you had occassion to use the same talents
you are complaing about to solve some particular problem without getting
involved? Are you complaing about their knowledge or about your unwillingness
to learn what you need to know?

        The problem is further exacerbated by the multitude of slimy
        vendors who sell Unix boxes without sources and without an
        efficient means of dealing with security problems as they
        develop.

The focus seems to have changed. If the discussion was about Unix problems,
if the focus was about selection criterea for the people hired,
the focus is now on vendor problems?

Even so, I wasn't aware that lack of source was the key to the security
problems on Unix systems. I'm not aware of too many unix vendors who
are unwilling to share their code when they are reimbursed for their efforts.

        I don't see any relief, however.
        There are a lot of politics involved here.

<here? Where is here? Stanford? Sumex? California? USA?>

        Some individuals would rather muzzle knowledge of
        Unix security problems and their fixes than see them fixed.

This may be true. This may always be true.

        I feel it is *criminal* to have this attitude on the DDN,
        since our national security in wartime might ultimately depend
        upon it. If there is such a breach, those individuals will be
        better off if the Russians win the war, because if not there will
        be a Court of Inquiry to answer...

Ah, after alot of though, I think I am beginning to understand what you
are trying to write. Are you assuming the sensitive machines on the DDN
to be Unix machines? And from there assuming they are unsecured?
I would think people using machines and needing particular levels of
security would be well aware of the issues, much more than you or I.
I have seen some of the specs to come out of the military for secure
system, and have felt very good about the militaries' own understanding
of its needs.

        It may be necessary to take matters into our own hands, as
        you did once before.

<focus? ranting?>

        I am seriously considering offering a cash reward for the
        first discoverer of a Unix security bug, provided that the
        bug is thoroughly documented (with both cause and fix).

Now I am beginning to understand a bit more... so happends these kind of bugs
have been found before. In fact, bugs have been discovered. In fact,
information has been sent out, describing the problem, and the resolution.

        There would be a sliding cash scale based on how devastating the
        bug is and how many vendors' systems it affects.

<focus?>

        My intention would be to propagate the knowledge as widely
        as possible with the express intension of getting these bugs
        FIXED everywhere.

If that is your intention, then the process you are suggesting for making
it happen is faulty. You are trying to get people to help you by making
them angry at you. This will not work.

        Knowledge is power, and it properly belongs in the hands of
        system administrators and system programmers. It should NOT be
        the exclusive province of "gurus" who have a vested interest in
        keeping such details secret.

Here I am very confused. Seems the people who are refered to as "gurus"
are the very best system programmers. All the "gurus" I have ever met
have many talents beyond programming; including leadership. Getting the
leadership required excellant interpersonnel skills. As mentioned above,
if this is not the case where you work, then the people responsible for
selecting appropriate individuals for their positions have made mistakes.

As for "in the hands of"; a case of analogy may make clear that this is
not necessarily the best way... I would guess the same was said to the
people making the atomic bomb; that they had the understanding the create
the bomb, but not the understanding to use it correctly. Defering the
responsibilty to the people who wanted it for "power" created an environment
where those people used the very technology only for "power".

I would say for you to focus on the knowledge itself, because for you,
the knowledge will not be power.



This archive was generated by hypermail 2.0b3 on Thu Mar 09 2000 - 14:38:06 GMT