[10062] in Commercialization & Privatization of the Internet
Re: If Orson Welles were only alive...
daemon@ATHENA.MIT.EDU (Mark R. Ludwig)
Sat Feb 5 12:33:32 1994
From: "Mark R. Ludwig" <Mark-Ludwig@uai.com>
To: "Chris G. Sylvain" <cgs@access.digex.net>
Cc: karl@mcs.com (Karl Denninger), bzs@world.std.com (Barry Shein),
In-Reply-To: <199402051705.AA01595@access3.digex.net>
Date: Sat, 05 Feb 1994 09:32:58 -0800
>>>>> "C" == Chris G. Sylvain <cgs@access.digex.net> writes:
C> In message <m0pSgP0-000BbfC@mercury.mcs.com>, Karl Denninger writes:
C> = 2) Form a mailing list of <real> admins to discuss issues, including
C> = break-ins in process. I am going to be anal about who gets on the
C> = list, as I want to solicit people to post actual scripts, code, etc
C> [...]
C> I'm a Computer Specialist (Job series 334) at the National Weather Service
C> Office of Systems Operations, Systems Integration Division, tasked with
C> LAN and Systems Administration.
C> I'm interested in participating in the list more as a defense mechanism
C> for NWS/OSO/SID than as a reporter/documenter of tactics used against us.
In order for this sort of thing to work, it has to be a
cards-are-on-the-table-all-the-time arrangement or we get nowhere.
I have a big problem with the spook mentality to which CERT ascribes:
that they won't divulge information about problems until some
political event occurs (the vendor releases an official patch, etc.),
and then give almost no hard information about the problem. The
fairly-recent sendmail problem was a classic. It's true they cannot
know who will get the information, and yes, some Bad People will get
it. What's the ratio? I'm thankful that Alexis Rosen (sp?) saw fit
to describe it in gory detail, because without that information one
could not assess one's site's level of exposure. The sendmail problem
in particular is obvious to the most casual syslog-reader.
I believe most people are good, some are Bad and a few are Evil.
Spreading the information therefore does a lot more good than bad.
If you want a secure system, hire 24-hour guards who shoot before
asking questions and put it in a room shielded from electromagnetic
waves. Anything else is not secure, and it's a matter for each
administrator to determine the level of security needed. Behind some
of Barry's statements is I think the same belief I have: don't try to
solve social problems with technology. We got ourselves into this
mess because we needed to cooperate (network). We can only get
ourselves out of this mess the same way: by cooperating.$$
