Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.2 9/18/84; site bnl.UUCP
Path: utzoo!watmath!clyde!bonnie!akgua!mcnc!philabs!sbcs!bnl!jpm
From: jpm@bnl.UUCP (John McNamee)
Newsgroups: net.followup
Subject: Re: Hackers and others take note
Message-ID: <817@bnl.UUCP>
Date: Sat, 8-Dec-84 01:02:48 EST
Article-I.D.: bnl.817
Posted: Sat Dec  8 01:02:48 1984
Date-Received: Thu, 13-Dec-84 01:36:12 EST
References: <2612@dartvax.UUCP>
Distribution: net
Lines: 38

It has all been said before, but since it has been brought up again,
here I go...

Fascist laws to protect computer systems from breakins do not solve any
problems. At best they give computer owners a false sense of security. If
you are going to put your computer on a public network then you best secure
it. That means using dialback units if you can, and at the least changing
passwords often. TRW should be sued for gross criminal negligence for the
way they handle their security. Printing a password on the credit report is
just plain stupid. I know they cut that out a few months back, but have
they changed every password since then? I doubt it. Do they change all
password regularly? I doubt it. Do they use encryption? No. What do these
people do to safegaurd their data? Nothing as far as I can tell.

I dont see phreak BBS's as the big problem that many others do. They only
distribute information, they dont generate it. I'm not saying they shouldnt
be shut down (I'm all for it), but that doing so is attacking a symptom
rather than the real problem. You wont make security problems go away by
closing all the phreak boards. The insecure systems are still out there,
and the next batch of kids will break into them and start new phreak
boards.

I think a solution is to give computer owners an incentive to patch their
holes. I'm not a lawyer, but I know there is a principle of "mitigation of
damage" that is often applied in civil suits. The idea is that if you want
to claim you have been damaged, you have to show that you tried to reduce
the damage done. This same principle should be applied when a computer has
been broken into. If somebody was able to login to account "guest" with a
password of "guest" then the system manager didnt do their job of making
the system secure. "Attractive nuisance" laws could even be applied in
cases such as this. As far as I'm concerned, if the system owner cared so
little about security that obvious logins were available then he has very
little right to complain when somebody breaks in.
-- 

			John McNamee
		..!decvax!philabs!sbcs!bnl!jpm
			jpm@Bnl.Arpa