Re: Security!

[Bill Ries-Knight <brk slip net>]

As regards this issue...
About 10 years ago an Astronomer at the Lawrence Berkeley Labs was
assigned to
maintain the computer system/network at an administrative level..  He
discovered
a discrepancy of a couple of seconds.  The need to have perfect books led
him,
Clifford Stoll, on a wild exciting adventure through computer security
holes,
many in "SECURE" USGovernment facilities.  Running standard UNIX.
Worldwide.  The
end result is a book " The Cuckoo's Egg" by Clifford Stoll.

Nobody is Perfect.  I suggest you get a copy or two and loan them to your
clients.  I suggest they are actually the final responsible authority of
the
system security.

I hope this gives you a new piece of ammunition.

Bill

Billy Harvey wrote:

>  > One of my clients is in discussion with their lawyers about the
>  > possibility of sueing the owner of one of the cracked machines
>  > for negligence.
>
> IANAL, only a mere EE, but here's MHO, FWIW.  If I, or anyone with any
> technical computer knowledge, sat on this jury, your client would
> probaby lose his case.  The exception would be if this person put a
> computer on the internet and advertised to others that the system was
> available for illicit use - that would incur the sort of
> responsibilities assigned to giving weapons to immature children with
> obvious tendencies towards violence.  Only the lawyers would be happy
> in the end.
>
> The reasoning is simple:
>
> Any computer system can be broken into.  Yes, that's right, any. It is
> simply a matter of dedication and know how.  The degree with which it
> is easy certainly varies.  In general, anyone running a Linux based
> machine on the internet has taken a significant step towards improved
> security without even knowing it.  It requires a specific effort to
> gain unauthorized access.  There are other operating systems that are
> much simpler to break into by (lack of) design.  Anyone who breaks
> into a linux system, or even the poorly designed other systems, has
> commited a grievous act.  That they then use the ground they gained to
> cause more pain for others is not the fault of the one broken into.
>
> Say for example that someone managed to break into your system.  Yes
> you, like I, probably make a serious effort to guard your security.
> Neither of us probably does that to keep people from attacking others
> from our system - that's just a side benefit.  We do that for purely
> selfish reasons - to protect what is under our charge.  However, say
> your or my system was compromised, and attacks launched.  Should we be
> at fault?  What if it was KGB trained crackers, smoking unfiltered
> cigarettes, and carrying CZ-75's for effect - i.e. the pros from
> Dover?  Are we at fault if they crack us and then attack others?
>
> My point is that there is no certification required to be on the
> internet beyond not emitting a bit stream except when commanded to.
> The goal of the society minded computer scientist should be to make it
> harder to break into systems anyway, regardless of where it's coming
> from.  The assumption should be made that any computer on the internet
> is compromised from the moment that ifconfig responds.  Draw the line
> of protection around your own system, and spend otherwise litigious
> energy improving the protection for all via education of others at the
> least.
>
> Might I make a suggestion to your client?  Take the money it would
> have cost for the court proceedings, and give it to one of the Linux
> support agencies.  Some portion of it will go toward improving
> security by finding and fixing bugs that allow unauthorized access.
>
> Just the ramblings of a geek, who occassionally lapses into believing
> that the intent of laws is to encourage improvement of the lacking.
>
> Regards,
> Billy
>
> -====---====---====---====---====---====---====---====---====---====---====-
>  to unsubscribe email "unsubscribe linux-admin" to majordomo vger rutgers edu
>  See the linux-admin FAQ: http://www.kalug.lug.net/linux-admin-FAQ/

--
Intelligence is the ability to discern.
Instinct is the ability to react.
Insight is Intelligence applied to Instinct.
(c)1999 Bill Ries-Knight