Computer underground Digest Sun Oct 4, 1992 Volume 4 : Issue 48 Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET) Archivist: Brendan Kehoe Shadow-Archivist: Dan Carosone Copy Editor: Etaion Shrdleax, Esq. CONTENTS, #4.48 (Oct 4, 1992) File 1--Wes Morgan's on J Davis & Piracy (Re: CuD 4.46) File 2--"Whose Internet Is It Anyway?" (Online! Reprint) File 3--Implementing System Security Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost from tk0jut2@mvs.cso.niu.edu. The editors may be contacted by voice (815-753-6430), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115. Issues of CuD can also be found in the Usenet comp.society.cu-digest news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL0 and DL12 of TELECOM; on Genie in the PF*NPC RT libraries; from America Online in the PC Telecom forum under "computing newsletters;" on the PC-EXEC BBS at (414) 789-4210; and by anonymous ftp from ftp.eff.org (192.88.144.4) and ftp.ee.mu.oz.au Back issues also may be obtained from the mail server at mailserv@batpad.lgb.ca.us European distributor: ComNet in Luxembourg BBS (++352) 466893. COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted for non-profit as long as the source is cited. Some authors do copyright their material, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: Mon, 28 Sep 92 10:10:41 EDT From: morgan@ENGR.UKY.EDU(Wes Morgan) Subject: File 1--Wes Morgan's on J Davis & Piracy (Re: CuD 4.46) In CuD #4.46, Jim Davis writes: >First, the reality of software production in the late 20th century is >much different than this image. Most software production is NOT a >cottage industry. Agreed, but that doesn't really change my arguments very much. >The industry has quickly matured in the past few >years into a typical monopolized industry. Most patent filings are by >corporations. Most software is not purchased from the individuals who >create the software, it is purchased from companies who have required >their engineers to sign away any rights to whatever they come up with, >AS A CONDITION OF EMPLOYMENT. So IN MOST CASES, the creator has been >separated from the results of his or her creativity. Isn't this true of almost any commercial concern? Toyota engineers sign away their rights to the design of the 1993 Camry, and contribu- ting editors sign away their rights to their editorials in the Lexington Herald-Leader (if printed, unsigned, as the opinion of the paper). Yet, these individuals still profit from their work; the engineers will receive raises/bonuses if their designs are commercially successful, and the editors of the Herald-Leader receive greater compensation if the paper's subscrip- tions increase. What's the difference? >But the image of >the sole-proprietor hacker is raised up as a shield by the software >industry -- the public can take pity on the "defenseless" hacker; >people don't take pity on a Microsoft or an IBM. It isn't a question of "pity", nor have I advanced it as such. My argument is very simple. You do not have the moral, ethical, or legal right to take someone else's explicit design (be it computer software, a piece of sculpture, or a 1993 Camry), duplicate it, and give the copies away. >Here we get >to the heart of the matter -- we're really talking about the "rights" >of software corporations here; not the hacker, not the consumer, and >not society. So, the people who constitute a corporation are now in a separate class? >Nowhere do I argue that the people who write software should not be >compensated for their effort. Of course people should be compensated! You say that people should be compensated, yet you wish to remove their largest/best-protected source of compensation -- contract royalties from legitimate purchases. >The question is how, and how much. "how much"? This almost sounds like a thinly disguised slam on software prices........ >Paycheck dollars from a >corporation, a university, a cooperative or the government all spend >equally as well. Of course, one's paycheck is usually proportional to the success of one's efforts. I can't imagine anyone increasing an employee's pay for "good societal benefits" of their work (with the exception of the fine people in the social work careers, of course....). >But the social benefits from the programmer's efforts >are constrained by forcing them through the legal contortions of >intellectual property rights and private ownership. If the programmer (or corporation) wants to reap social benefits, they'll place the program in the public domain (or provide 'student editions', or educational pricing, etc.). It's *their* choice, not yours. >The model that we >have been using is private speculation for private gain, made possible >via exclusive monopolies granted by the government, enforced by law. I >am saying that other successful models exist and have generated useful >products. Many such models exist; however, you would force everyone into the same model. Neither of us can dictate models to the developer. >The subtext in the "I deserve a reward" argument is that >someone who comes up with a really useful idea should get a special >reward. Fine. I have no problem with public recognition of significant >contribution, even including a cash award. Again, this doesn't >_require_ intellectual property rights. I can see it now -- "You've written a wonderful program! Here's a one- time cash award of $XXXX, and we're going to spread your program around the world, let other people use it to make more money, and you won't reap any further benefit from it." >Morgan says that >"*companies* create for financial gain" (which I certainly agree >with), but puts this forward as if the protection of *their* financial >gain somehow justifies the rest of us having to suffer under >intellectual property rights. Let's try a parallel (this usually degenerates into a flamefest, but...): - You (Mr. Davis) write a book entitled "Intellectual Property in the Information Age" - Prentice-Hall, in their wisdom, deems it worthy; a First Edition is prepared, published, and placed on sale. - I purchase one copy, duplicate it 500 times, and distribute it to a conference *without your permission*. - Your book is included in the conference Proceedings, and is made available to the public; again, neither you nor PH recognize any compensation. Can you honestly say that neither you nor Prentice-Hall will be concerned? I have found that many people (NOT, necessarily, Mr. Davis) who argue against intellectual property rights have never been in a position to earn compensation from their personal work(s). I have been in such a position, and it definitely changes one's opinions. (While my experience in this area does not lie within the realm of computer software, I believe that my experience is valid.) >Corporations are not necessary for the >generation of the software we need. That's well and good; you (and anyone else) is quite free to design, implement, test, debug, document, and distribute any software you wish. >Harlan Cleveland, .....wrote.....: >"Is the doctrine that information is owned by its >originator (or compiler) necessary to make sure that Americans remain >intellectually creative?" He answers in the negative, citing the >healthy public sector R&D efforts in space exploration, environmental >protection, weather forecasting and the control of infectious diseases >as counter examples. Hmmm....."space exploration" == "NASA" "environmental protection" == "EPA" "weather forecasting" == "NOAA" "infectious diseases" == "PHS/HHS/CDC" "public sector" seems to melt into "government agencies". If you (or Mr. Cleveland) can provide examples of such work which are outside the governmental realm, I'd like to know about it. Of course, a great deal of university research takes place under government grants; we might even argue that universities are another arm of the government in this respect. I'm not familiar with any large-scale research which is truly in the "public sector". >Fourth, the notion of a solitary inventor is a popular falsehood. No >one creates in a vacuum. Agreed. >The programmer's skills and creativity rest >upon past inventions and discoveries; This is true of almost any invention, discovery, or creation; would you apply your arguments to cars, calculators, or novels? Heck, most musical compositions are based on the ancient notions of scales, keys, and modes; would you throw *all* music into the public domain, too? >publicly supported education; It is quite possible to complete one's education without setting foot in a "publicly supported" school. >the other people who produced the hardware, the manuals and textbooks >and the development tools; as well as the artists and accompanying >infrastructure who may have inspired or influenced the programmer. You're absolutely correct, but it's still the programmer's invention that made it possible. >In >this sense, the developer's product is a social product, and >consequently should redound to the benefit of all of society. Again, are you willing to apply this notion to *every* invention, development, or creation? I still don't believe that computer software is inherently different from any other medium. >The >practical problem of compensation for effort and reward for >outstanding achievement can be addressed outside of "intellectual >property rights." I'd like to see some concrete ideas about the implementation of this "compensation....and reward". You've mentioned it several times, but you haven't presented any practical implementations. >The public >is already heavily involved in software production, but as is too >often the case, the public finances something, and then turns it over >to private corporations to reap all of the profits from it. 1) The "public" doesn't have to "turn it over" to the private sector. 2) Most programmers who develop something on their own (as opposed to "staff programmers" at a software company) usually recognize compen- sation in either lump-sum payment(s), increased salaries, or royalties. 3) If I decide to market my own software product, haven't I just become one of your much-villified "private corporations"? >Re: my point that intellectual property rights prevent intellectual >effort, including software development, from maximizing its social >benefit: If a copy of Lotus 1-2-3 does have use for people, and people >are prevented from using it (e.g., because of the price barrier), then >its potential benefit is constricted. You didn't address my mention of "public access" computing sites, such as those found in many schools and public libraries. It would seem that this growing "public access" facility would render your "price barrier" irrelevant. >Mr. Woodhead says that no companies specialize in educational >software. If this in fact is the case, then this only reinforces the >argument for the necessity of some sort of social or public or >community (or whatever you want to call it) funding of educational >software development. Just go ahead and say "government funding"; you've been hinting around the phrase for several paragraphs. >Re: Mr. Morgan's notion of more aggressively extending patents to >software: it's already taking place. Good; I'll look at the references you mentioned. >17 years (typical for >patents) is an eternity in the evolution of software (as is 10 or 20 >years, as suggested by Mr. Morgan). OK, let's change it to 5; we're speaking rhetorically, right? 8) >As a sidenote, even the SPA has >opposed software patents. Of course they oppose it! It cuts into their profits! I've never said that current pricing is fair....... >Re: fair use -- the point I was trying to make is that the concept of >"fair use" has EVOLVED and EXPANDED with increasing ability to easily >duplicate various media. How, exactly, has it "evolved and expanded"? >"Taping of television programs for personal >use appears to have become accepted as fair use of copyright material. "appears to have"? It was explicitly affirmed in several court decisions. >The >rationale of the court must have been the unlikely efficacy of trying >to put Pandora back into the box and the fact that no commercial use >of the tapes was either alleged or documented." Bingo! The "personal use" factor was a determinant in each decision. You'll notice that the courts did NOT affirm any redistribution rights, either for-profit or for free..... >The point is that legal constructs like "fair >use" are not brought to us by Moses -- they are determined by the >balance of social forces through legal, political, economic and other >forms of struggle. And therefore they are something which we can >affect. Agreed! I would enthusiastically support a "free for educational purposes" waiver of licensing. I'm the Systems Administrator for the UK College of Engineering; we spend a great deal of money on licenses, and some vendors have my undying gratitude (Swanson Analysis, MathWorks, and CADKEY, are you listening?). Let me ask you a simple question: You have championed (and rightfully so) the cause of "educational computing"; you've used education as a bulwark of your arguments. However, would you voluntarily restrict your use of "free software" to educational purposes? If WordPerfect gave you 10 copies for your class, would you use it to write your next book? Would you sell that book? >From: peter@FICC.FERRANTI.COM(Peter da Silva) >Subject--File 2--Response to Davis/Piracy (1) > >Re: Wes Morgan's article in CuD #4.43 > >I largely agree with most of his arguments, but I would like to point >out one mistake... he says: > > "The whole concept of copyrights ... is based on the notion > that the creator ... is entitled to some compensation for his > effort" > >This is just not true. The whole concept of copyrights and patents in >the United States is based on the notion that by making intellectual >property a salable commodity subject to market forces, more and better >intellectual property will be created and it will be distributed more >freely. Absolutely! I think we said the same thing; I just didn't extend my statement far enough. (My statement was based on my experience in more "artistic" fields, namely music; the market forces Peter mentions are less dominant in that field.) Thanks for clarifying, Peter. >And, you know what, it works. There's no better refutation, nor need >there be a better refutation, of the argument that piracy promotes >openness. It doesn't. It promotes encrypted software, dongles, and >trade secrets. It discourages publication. It reduces the incentive to >create viable products of commercial quality. These are not the result >of intellectual property laws, they're the result of the failure to >enforce intellectual property laws. Breakaway! Shot! Goal! Well said. >From: "Michael Stack" >Subject--File 3--Response to Davis/Piracy (2) > >They both seem to view copyright and >patents as a system guaranteeing a right to profit overlooking the >original constitutional intent to "promote the progress of Science and >the useful Arts." Here's the relevant citation: [Article I, Section 8, US Constitution] ...To promote the progress of science and useful arts, by securing for limited times to authors and inventors the exclusive right to their respective writings and discoveries; We may argue that the current implementation of copyrights and patents is in need of overhaul/modification, but you cannot evade the Constitutional "exclusive right" for inventors and authors. I'd also argue that the very presence of hundreds of software companies validates the "progress of science and useful arts"; I receive informa- tion on new software releases on an almost-daily basis. >To be able to accuse someone of stealing or to claim something >as property (and to subsequently grant licenses on how this property >is to be used) implies there exists rights of ownership in the first >place. The crux of Mr. Davis's article questions this right. The >respondents by-pass this altogether. I didn't bypass it at all; in fact, my entire argument is based on the premise of "I made it, and it's mine!". 8) >Their articles are but >explanations of the existing order in case we didn't already >understand. The "existing order" is entirely Constitutional. Mr. Davis' questions bypass the Constitutional provisions of "exclusive rights" for creations and inventions. Would you support a Constitutional amendment to revoke those "exclusive rights"? Keep in mind that any such action would invalidate *all* trademarks, copyrights, and patents. None of the parties in this discussion have provided justification for applying different standards to computer software, so it's in the same boat as any other "writings and discoveries". >The fact that "alls not well in the state of Denmark" >in itself punches large holes in the system the two respondents >defend. >Both belittle the spectre of "police state" raised by Mr. Davis. >Amazingly, this is done within the pages of a publication which has >spotlighted many instances of "police-state" behavior: doors >kicked-in in the early hours of morning, guns drawn, threats, >equipment confiscated (permanently?), "guilty till proved innocent," >etc. I didn't "belittle" the police-state notion at all! Of course, those are matters of criminal law, not copyright infringement. I have yet to hear mention of such a "police state" approach to copyrights. >--On the one hand you argue "If I pour 4 years of my life into the >development of SnarkleFlex, I DESERVE to profit from it" but then you >append a caveat which undoes this assertion "(assuming that people >want to purchase/use it)." Doesn't this condition make your >capitalized assertion self-destruct? How about "I deserve the OPPORTUNITY to profit from it"? >Do you deserve to be rewarded >for your work, yes or no, or is it to be let dependent on market >caprice? Market caprice, absolutely! That's the basis for ANYONE's living; one must provide a service (or goods) which people need or want. If there is no market for your skills, you get to find another job. That's self- determination. >--You ask "Would you make a copy of Webster's Dictionary and give it >to a friend?" and you sport(!) "Xerox(tm)[ing] your entire printed >library for me..." "...would be just fine, right?" Yes, it would -- >if the library and dictionary were in a readily distributable form and >the copy cost me near nothing i.e. in digital form. I'd be happy to >give you a copy. I could give it to anyone. As to how I'd have a >library in the first place we can discuss (perhaps outside of this >forum). "how I'd have a library......we can discuss.....outside of this forum"? Oh, my! Let's translate this a bit..... "Sure, I'll give you a copy; just don't ask where I got it." >Michael Goldhaber in his book Reinventing Technology states "Since new >information technology includes easy ways of reproducing information, >the existence of these [intellectual property] laws effectively >curtail the widest possible spread of this new form of wealth." Your alternative is anarchic, is it not? I'll ask you a simple question, one for which no one has provided a suitable answer: If I choose to make my living as a software author (either "on my own" or as part of a company/corporation), how will your proposed "freedom of information" help me earn a living? Will it, in fact, hinder me in earning a living? --Wes ------------------------------ Date: Thu, 1 Oct 92 08:58:29 EDT From: Rich=Gautier%SETA%DRC@S1.DRC.COM Subject: File 2--"Whose Internet Is It Anyway?" (Online! Reprint) This entire article was re-typed by Richard A. Gautier (RG%SETA%DRC@S1.DRC.COM). If there are any SPELLING errors, they are probably his. If there are grammar errors, they are Dr. Grundners, or the editors. Mr. Gautier HAS obtained permission to electronically disseminate this article from ngarman@tso.uc.edu who represents ONLINE magazine. Her comment was that this article really does belong in the electronic (Internet) forum, and that it was really a shame that I had to ask with an article like this. "WHOSE INTERNET IS IT ANYWAY? -- A CHALLENGE" By Dr. Tom Grunder From--Online! Magazine, July 1992, pp. 6-7, 10. It began innocently enough. I was rummaging around the Internet looking for some NREN information to include in a proposal I was writing, when I came across a rather one-sided "debate." It was a string of messages written mostly by people from academic computing centers bemoaning the fact that NREN _might_ be made available to K-12 schools, businesses, libraries, and (horror of horrors) even to the general public. They were beside themselves. "The Internet and the NREN are supposed to be for academic and research purposes," they said. "What's going to happen if we allow all these other people on? There's not going to be enough bandwidth. Transmission time will suffer. Before you know it, the NREN is going to be just as bad as the Internet is now." As the messages came in, their outrage seemed to build. So did mine. Finally I came across a message that simply read: "Why should we let them use it at all???" and suddenly the terrible mistake we've been making became clear. We in the non-university networking community have been framing the wrong issue. Until now, the issue has been whether K-12 schools and community users are going to have access to the NREN. It should have been whether K-12 and community users are going to _allow_the_academic_centers_ to access the NREN. Somehow we had gotten our priorities crossed. Who do they think is _paying_ for all this? When the NREN comes online, the money to build it will be coming from that apparently forgotten group of people called "taxpayers." Who do they think is paying for the current Internet backbone? The National Science Foundation? Wrong! It's the taxpayers. Who do they think is paying for those mid-level networks, and for the high-speed data lines to connect their colleges to those networks, and for the nice high-powered servers that makes the connection so easy? Do they think that money is coming from good ole Siwash State U.? If so, then who, pray tell, is funding Siwash State? Right again. Taxpayers! So now we come along, with hat in hand, begging for permission to have minimal access to the Internet and to be a part of NREN. Why? So we can set-up K-12 networks that will allow the _taxpayers'_ kids to learn the information age skills they will need to be competitive in the 21st century. So we can provide the _taxpayers_ access to electronic mail, government information, and other resources via libraries and community computer systems. So we can provide some piece of the information age to the people who paid for it in the first place! And the academics treat us like beggars in a subway station. _Absurd!_ Absurd, but not surprising. To understand this attitude, you have to keep in mind that, in most locations, these university computing centers are designed for the people who work there plus 35 of their buddies. No one else - including the other students and faculty on their own campuses - need apply. In most locations, students or faculty members seeking to use the Internet are given a blinking cursor that dares them to come up with some combination of nonsense syllables to make it do something. That's it. No help. No training. No assistance. Nothing. It is not surprising that the idea of letting the community have access to this preciously guarded resource would send chills up their spines. But, in many ways, we in the non-academic computing circles have made our share of mistakes as well. Not only have we been apologetic in our claims to this national resource, but we have engaged in what I call the "Balkanization" of the information age - the fragmentation of our efforts into dozens of competing networks and special interest systems. We should be working toward a common framework with enough "conceptual bandwidth" to include everyone. As a function of developing my organization, the National Public Telecomputing Network, I am asked to speak at a lot of conventions and conferences; and what I find at those meetings has become quite predictable. Everyone is excited about computer networking. When I go to a K-12 convention; everyone is talking about K-12 networks. When I go to a library conference; everyone is talking about library networks, and so on - all in direct competition with each other. It doesn't make sense. Let's say you are proposing a statewide network that will link your libraries together, complete with Internet connections - the whole bit. And let's say you take it to your state capital and, amazingly enough, you get it funded. Now, what happens if a month later the K-12 people (or someone else) shows up with a proposal to fund their network; or worse, what happens if they get there a month _before_ you? Some one must lose; it is inherent in that kind of competitive process. But our mistakes do not end with the competition for monies. They run deeper than that. We have also failed to come up with a comprehensive plan to show how any of our ideas fit together. Let me use the K-12 initiatives as an example. I have seen a number of proposals going around that (depending on the proposal) would provide every school in the city/state/country with a connection to the Internet - so every child will have access to the information resources to be found there. That's fine. In fact, on the surface, it sounds wonderful. But what happens _after_ the student graduates from high school or college? Do we toss him or her out into a world where those resources are utterly unavailable? If so, _what's_the_point_of_training_them_on_the_resources_ in_the_first_place? It's like having mandatory driver education in a world without cars! It doesn't make sense. We create plan after plan, proposal after proposal, with no common conceptual framework to tie them together. I believe we must start developing our programs in the context of community-wide information systems. The guy who runs the corner gas station (and who was in a K-12 class only a few years ago) should have at least as much information access as the K-12 students who are in class right now. But we can't do that; we can't achieve it; unless we can band together somehow to speak with one voice. And...we need leadership. Where is that leadership going to come from? One logical source is the library community. But I don't see that happening. What I see is a profession divided. Half the librarians I've talked to see this network technology as exactly the kind of thing libraries should be embracing; and the other half (usually higher-level officials) see it as the work of the devil - with no detectable middle ground. We can't continue without leadership, without a plan, and in direct competition with each other. Perhaps what is needed is a plot of ground that stands outside existing territory, a place where everyone can stand, and around which we can all rally. Let me try out an idea on you. Suppose a super-fund was created for the development of a nationwide network of computerized community information systems. These systems would be free to the user in the same sense that the public library is free to its patrons. Of equal importance, each of these systems would have a place on them for the library community, the K-12 community, the medical community, government officials, and anyone else who wanted to use it. In addition, each system would be linked by, and would provide its users with controlled access to, the Internet/NREN. From a technological standpoint, there are no barriers to the development of these systems. Indeed, there currently exist several pilot systems that are already accomplishing all the above and more. How would we fund it? One way would be to ask every Regional Bell Operating Company to contribute, along with every high-tech corporation, the federal government, every state government, every major city, and every major foundation. If necessary, we would approach the various state Public Utility Commissions to ask that a surtax be placed on phone company data line profits. The fund would be charged with developing a minimum of 100 community computers covering all 50 states by the year 2000. Initial cost would be about $30 million dollars. Could it be done? Without any doubt, yes. We've done it before. Most people do not realize that 100 years ago there was no such thing as the public library as we know it. But we reached the point in this country where literacy levels got high enough (and the cost of producing books cheap enough) that the public library became feasible. People across the country began to come together around the idea of free public access to the printed word; and the result was a legacy from which everyone reading this article has benefitted. What I am saying, is that in this century _computer_ literacy levels have gotten high enough (and the cost of computer equipment cheap enough) that it is time from a similar movement to form around the development of free public-access computerized community information systems. It is time for us to stop being apologetic, and to stop competing wih each other. In short, it is time for us to leave a legacy of our own. Do you see what I am saying? Would you support such a plan? I mean, would you support it personally? Would you work for it? Would your company or institution support it? Would they contribute to it? If so, let me know. Send me electronic mail, send me snailmail, but let me know. The key here is not the technology, that's already in place, it is "wil." Do we have the will to do it? The issue is no longer _whether_ we will enter an information age. That part has been settled. We have. What is at issue is whether the information age is something that happens _to_ us, or something that happens _for_ us. Fortunately, that decision still remains in our hands. ++++++++++++++++ _TOM_GRUNDNER_ is the president of the National Public Telecomputing Network, and the founder of the Cleveland Freenet. The freenets are community information systems, located in several Ohio communities and in Peoria, Illinois. A column in DATABASE (April 1988, pp. 97-99) by Steve Cisler describes the Cleveland Freenet in its early stages. Communications to the author should be addressed to Dr. Tom Grundner, National Public Telecomputing Network, Box 1987, Cleveland, OH 44106; 216/368-2733; Internet-aa001@cleveland.freenet.edu; BITNET-aa001%cleveland.freenet.edu@cunyvm. (Editor's Note: Write to Tom Grundner, or write to ONLINE (ngarman@tso.uc.edu), to answer this challenge and comment on this controversial issue facing the library and online community. ONLINE will publish as many notes and letters as we have room for in coming issues. --NG) ------------------------------ Date: 25 Sep 1992 11:07:31 -0700 (MST) From: RayK Subject: File 3--Implementing System Security Toward the Implementation of a System and Network Security-Related Incident Tracking and Vulnerability Reporting Database by Ray Kaplan Consider the need for a system and network security-related incident tracking and vulnerability reporting database (herein referred to as ITVRD for convenience). Such a database might be a relational combination of reported vulnerabilities and incidents that could answer queries such as "show me recorded instances of compromise for version xxx of operating system yyy on zzz hardware" or "show me a list of known vulnerabilities of the login sequence for version xxx of operating system yyy on zzz hardware" or even, "show me a list of reported compromises of version AAA of third party product BBB running under version xxx of operating system yyy on zzz hardware". We might even be able to ask "show me known instances of password guessing attacks on version xxx of operating system yyy on zzz hardware at banks." It is widely known that the flow of security-related information is carefully controlled and that such information is not readily or widely available to those who need it to protect their systems and networks. There is plenty of information available - but, its availability seems limited to the underground. While this apparently serves those who know and control this information, but it does little to help those who are trying to protect their systems and networks. Security by obscurity is widely known to be a flawed concept. My argument would be that this game of security incident/vulnerability tracking is a lot like dealing with the AIDs crisis. If we don't start talking openly about it, we are all in trouble(1). While some of the various computer incident handling capabilities do an excellent job of distributing SOME significant vulnerability and incident information publicly(2), VERY LITTLE detailed information gets disseminated in comparison to the number of known vulnerabilities and known incidents. In addition, those who are not connected to the Internet have a difficult time staying abreast of those incidents that are reported. Worse yet, I speculate that the majority of systems and private networks that exist in the world today are simply not even tapped into the meager flow of security-related information that does exist. I believe that this sad situation is due to the politics of security vulnerability information between vendors in the market(3), and an inherent desire to control the distribution of this information by the portion of the security community that has placed themselves in charge of it. As proof of this, consider that prototypes of system and network security-related ITVRDs are known to have been funded by the government, but were stopped when the funding agency wanted to classify the effort making it publicly inaccessible(4). What we - as a community - are left with is an odd situation where the best collections of vulnerability information are to be found only on the clandestine sources of the world's underground computer community. At this writing, the Defense Advanced Research Projects Agency's (DARPA) Computer Emergency Response Team (CERT) is reporting on the order of 3 incidents per day, but we - as a community - hear very little about the exact nature of these problems, how they can be used against our systems or their fixes. While the relatively new Forum of Incident Response and Security Teams (FIRST) is working on the problems associated with the design and implementation of a ITVRD, their discussions are carefully restricted to their members and this topic has been under discussion for quite a long time with no apparent movement. In addition, most of us are not members of FIRST, so we can't contribute to the discussions even if we wanted to do so. Since I know that the formation of a widely available ITVRD is a very, very emotional issue in the security community and since I am not willing to suggest that I have the best design and implementation plan for it in mind - I'm simply throwing the question out into the community for an open, vigorous debate: how can a system and network security-related ITVRD be implemented - or should it even be implemented? Based on my recent, unsuccessful experiences in trying to get members of the legitimate security community at large to talk to members of the world's computer underground, I have decided that it is not prudent for me to proceed with the design and implementation of a ITVRD until some consensus in the community is reached about how - or even if - such a thing should be done. As a seed for the debate, here are some of the questions surrounding the implementation of a ITVRD that I think need vigorous discussion by the community. Please consider them carefully and offer us your thoughts. Post your reply to this channel or send it to me at any of the addresses below and I will collect it, combine it with others that I receive and report it in some regular manner which is yet to be determined. A Myriad of hard questions: What of the morals and ethics questions that surround the establishment of a widely available ITVRD? While this is not a new idea(5), we are talking about the morals and ethics of making an ITVRD available to anyone who wants access to it. This necessarily includes those that are not members of the legitimate security community. Even though information such as that which an ITVRD would hold is readily available now, it takes a lot of time and energy to find it. An ITVRD would make incident and vulnerability information trivially available to anyone who wanted it. How should an ITVRD be accessible? Should it be a database on the network that can be accessed by simply sending a well-formed query via electronic mail to a database server? Should an ITVRD allow interactive access? Should it be available via a toll-free, 1-800 number? A pay per-call, 1-900 number? Since it has its own very well-developed channels of communication, why would the underground even care to contribute to such an ITVRD? Would a widely accessible ITVRD threaten or replace popular underground publications like Hack-Tic or 2600? Would the underground be happy with attribution for the holes that they find? Would the contributors to an ITVRD even want to be identified? Should a subscriber-based ITVRD pay its contributors for their submissions? If so, on what basis and how much? Should it be available to those that want to passively access it without contributing to it? Should this access be on a subscription basis? If so, does such a subscription service need some sort of authentication to restrict access to only legitimate, paid subscribers? Should the contents of an ITVRD be exactly what is submitted to it, or should submissions to it be edited and/or verified for authenticity. If editing, verification and authentication of submissions are to take place, who should do this and under what rules should it be done? In recognition that many organizations do not currently report their security problems, should anonymous submissions be allowed? Should such an ITVRD be in the public domain or should it be private property. Where should an on-line ITVRD be maintained? Should it be located outside the traditional boundaries of countries that would restrict its availability? I am sure that I have missed many, many important questions. Please contribute to this discussion. Electronic mail:Internet - kaplan@mis.arizona.edu BITNET - KAPLAN@ARIZMIS Snail mail: Ray Kaplan P.O. Box 42650 Tucson, AZ 85733-2650 FAX - (602) 791-3325 This has been posted to: Some common Network Newsgroups, and the DECUS DECUServe bbs.Several of the world's underground publications: 2600 and HacK-Tic.Selected members of the security community. Please feel free to re-post this anywhere you see fit - it is hereby released into the public domain. If you post it somewhere - please let me know where you put it so I can try and track the discussions - I'd like to do a summary of it all one of these days. In advance, thanks for your time and consideration. Since I know that the ire of powerful forces in the security community may be stirred up by the idea of publically discussing the design and operation of an ITVRD, I only hope that a reasoned exchange of ideas will follow. ++++++++++ (1) I get into some interesting discussions with people who argue that secrecy is the best course of action. For instance, while splitting hairs on the tough subject of when you begin (of if there even should BE) sex education, there is an argument that says educating very young people about their sexuality will induce them to experiment where they otherwise might not do so. In my view, this is similar to discussions that I have with those that oppose the implementation of an ITRVD. There are those that say the mere availability of an ITRVD will cause more incidents. In the face of this criticism, I say that while this may be true, at least system and network managers WILL have a reference for this information where currently there is none. Just think, the formation of an ITRVD may lead to vendors actually shipping a document that describes the known vulnerabilities of their systems to their customers. Sort of like the warning from the surgeon General's warning on alcohol and tobacco products? (2) Of note here is the Defense Advanced Research Projects Agency's (DARPA) Computer Emergency Response Team (CERT). While these consummate professionals do an excellent job of distributing incident and vulnerability-related information to the Internet community, not nearly enough is being done. (3) While it is clear that there are vulnerabilities which affect many vendors, there is evidence to suggest that some vendors in the incident response community don't acknowledge those reports by other vendors which clearly affect their own systems - let alone reporting all of the vulnerabilities of their own systems. (4) References available if you'd like them. (5) There most certainly are ITVRDs currently being maintained in various places. ------------------------------ End of Computer Underground Digest #4.48 ************************************