Should Dan post full details of his tty bugs?

Steven Bellovin smb at ulysses.att.com
Tue May 14 11:42:29 AEST 1991


Several people have suggested that Dan post full details, simply because
responsible ``undergrads'' will at most verify the existence of the
problem, and then report it to the system administrator.  Some, it is
claimed, will even offer help in fixing the problem.

The above statements are true, but irrelevant.

It only takes one malicious user to wipe out an entire system.  Why
would someone do that?  I don't know -- why do some people slash
car tires, or scribble on bathroom walls?  There's no reason to think
that access to the Internet is a warrantee of one's ethical behavior.
This much is certain:  some people commit such actions, for whatever
reason.

Even assuming I'm willing to trust all of my legitimate users -- and
that would be a rash assumption; most studies indicate that most
security problems are from insiders -- I'm not willing to wager that
no outsiders are using my system.  More precisely, given the apparent
density of security holes and lapses, I must assume that at some point,
people I don't trust will crack my system.  If that happens, I very
much want to prevent any further damage -- and we know that one of the
first thing a {cr,h}acker tries to do is to collect more passwords for
use on other machines.  The holes Dan is talking about are directly
implicated here.

It is, incidentally, somewhat libelous to blame ``undergrads'' as a
class for being hackers.  It's simply that undergraduates as a class
are the youngest group with substantial representation on the Internet.
And, like it or not, age is well-correlated with the incidence of
all manner of anti-social behavior.  Call it lack of maturity, call
it idle hands, call it what you will -- but the fact isn't particularly
disputable.  Yes, there are responsible undergraduates -- the vast
majority, in fact.  And many of the ones who poke and pry into systems
really are trying to learn.  I sympathize -- I did (and do) the same.
But, just as the library finds it necessary to place some restrictions
on who can remove which books, and for how long, a responsible system
administrator takes precautions to ensure that *everyone* can use
the computer system.

		--Steve Bellovin

P.S.  Don't read this as saying Dan should or should not post full
details.  I have my own opinions, but I'm not in the mood to post
them now, amidst the sturm und drang.



More information about the Comp.unix.wizards mailing list