Path: utzoo!attcan!utgpu!watmath!iuvax!silver!hughes
From: hughes@silver.bacs.indiana.edu
Newsgroups: comp.protocols.tcp-ip
Subject: Re: the worm and internet security
Message-ID: <44500004@silver>
Date: 11 Aug 89 14:42:00 GMT
References: <11042@multimax.encore.com>
Organization: Indiana University CSCI, Bloomington
Lines: 50
Nf-ID: #R:multimax.encore.com:-1104200:silver:44500004:000:2506
Nf-From: silver.bacs.indiana.edu!hughes    Aug 11 09:42:00 1989


jdp@polstra.UUCP writes:

> One of the problems that surfaces over and over in this forum is the
> fact that the major vendors don't bother to fix the known security
> problems in their products.  The reason they don't fix these problems
> is that they don't have much motivation to do so.  I would like to
> suggest a way to provide the missing motivation.
>
> Somebody (the DoD, a major university, or an interested member of the
> press) ought to organize an annual competition, in which each of the
> vendors would try to crack its competitors' systems.  A mini-network
> would be set up, and each vendor's tiger team would try to crack as
> many other systems in as many ways as possible during some fixed time
> interval.  The results would be published openly so that potential
> customers could take security issues into account when choosing
> vendors.
> ...

I see your point, but I have a few comments.

First, this assumes that the "tiger teams" would each stand on
equal footing, which is probably not the case.  If this approach
were to be taken, a more effective approach might be to have
an impartial third party try to break each system.

Second, I know people who are excellent at breaking programs, yet 
are not very good at designing or implementing programs.  And an 
operating system is, after all, just a collection of programs.

Third, and to me more important, I think this type of
competition would do more harm than good.  We can motivate
others by rewarding or punishing them, and there is a place
for both.  But to rely more on punishing will certainly
take the heart out of the industry...which is already suffering
enough from fierce and greedy competition.

In other words...shouldn't our motivation as programmers
to produce a quality product be coming more from an
internal inspiration, rather than from a fear of what
others will say or think?

/=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\
|| Larry J. Hughes, Senior Programmer ||  hughes@silver.bacs.indiana.edu   ||
||        Indiana University          ||  hughes@iujade.bitnet             ||
||   University Computing Services    ||                                   ||
||    750 N. State Road 46 Bypass     ||  "The person who knows            ||
||      Bloomington, IN  47405        ||     everything has a lot          ||
||         (812) 855-9255             ||       to learn."                  ||
\=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=/