UNIX-WIZARDS Digest V3#078

mark at ems.UUCP mark at ems.UUCP
Wed Mar 11 14:22:27 AEST 1987 

In article <4836 at brl-adm.ARPA> black at ee.UCLA.EDU (Rex Black) writes:
>> 	[ A request of details on holes in UNIX ]
>
>I feel that Gould was *extremely* ill-advised to post such a challenge,
>much less allow someone to take them up on it.  This so-called contest
>really boils down into nothing more than an extremely advanced seminar
>in how to destroy a Unix system.  By the time this ACM "attack team"
>is finished with their "project", every one of these people is going
>to be a veritable black-belt in system destruction.  It speaks pretty
>poorly of Gould that they feel no compunction about encouraging people
>to obtain this type of knowledge.  
>

Althought I agree with Mr. Black about his concerns about the possible
implications of allowing access to this kind of sensitive information,
I can also see Gould's and ACM's point of view.

I think that Mr. Black's is concerned that once the information about 
breaking a Unix system is shared with this 'attack team' that these same
people will go around breaking system's for the fun of it may be taking
the issue a little too far.  Face it someone out there knows how to break
the system, that is why ACM has solicited the response of the Unix community.
They KNOW that there are people out there who can break a system.  However,
much care must be taken to make sure that the people who form this attack
team will not use the technics that they learn to harm other people.
After all, most black belts in martial arts do not run around killing people
just for the hell of it.

Gould is saying that they have produced the tightest system that they know
how.  However, they may have missed some holes, and they want to make sure
that these holes are plugged.  I think that it is admirable (if somewhat
cocky, based on there past 'competition') of Gould to do this kind of QA.

Only by breaking a system can you hope to fix the hole in it.  How do you
break it?  Trial and error.  It's similar to the fact that if nobody broke
into houses, they would not be equiped with locks.  If a locks is made to
keep out burglars, what better way to test it than to have the best 
burgular try to pick it.  Obviously, you must be able to have some sort of
trust in the burgular first...

This is done all the time in real life.  Who do you think banks hire to 
reposess things?  Ex-cons.

Once again, I must reiterate that I do agree that care must be taken in the
selection of the attack team.  I would hope that whoever does the selection
is aware of the magnitude of the information that they are dealing with.
-- 
Mark H. Colburn          mark at ems.uucp      
EMS/McGraw-Hill          {rutgers|amdahl|ihnp4}!{dayton|meccts}!ems!mark
9855 West 78th Street     
Eden Prairie, MN 55344   (612) 829-8200 x235

More information about the Comp.unix.wizards mailing list