Path: utzoo!utgpu!watmath!att!pacbell!ames!amdcad!weitek!practic!polstra!jdp From: jdp@polstra.UUCP (John D. Polstra) Newsgroups: comp.protocols.tcp-ip Subject: Re: the worm and internet security Summary: Stage a Contest Message-ID: <1140@polstra.UUCP> Date: 7 Aug 89 19:48:47 GMT References: <8907280211.AA09340@asylum.sf.ca.us> <8908062210.AA11042@multimax.encore.com> Reply-To: jdp@polstra.UUCP (John D. Polstra) Organization: Polstra & Co., Seattle Lines: 46 One of the problems that surfaces over and over in this forum is the fact that the major vendors don't bother to fix the known security problems in their products. The reason they don't fix these problems is that they don't have much motivation to do so. I would like to suggest a way to provide the missing motivation. Somebody (the DoD, a major university, or an interested member of the press) ought to organize an annual competition, in which each of the vendors would try to crack its competitors' systems. A mini-network would be set up, and each vendor's tiger team would try to crack as many other systems in as many ways as possible during some fixed time interval. The results would be published openly so that potential customers could take security issues into account when choosing vendors. The vendors would be doubly motivated to keep abreast of all known security weaknesses. First, they would be looking for ways to embarrass the competition. Second, they would be trying to minimize their own vulnerability as much as possible. The press would love it, because security issues sell newspapers these days. Also, members of the press IMHO get a charge out of embarrassing people and (especially) corporations. There would be no need to openly publish the methods used for breaking into systems, so the rest of the Internet would not need to worry about zillions of evil computer hackers suddenly finding out how to mess with their systems. On the other hand, the rules could require that vendors share their successful methods with the manufacturers of the systems that were defeated by them. (This could be part of the process of validating a break-in.) If the competition were held periodically, say once or twice a year, then one could also keep track of weaknesses which had been previously exposed and remained uncorrected. Comments, anyone? -- John Polstra jdp@polstra.UUCP Polstra & Co., Inc. ...{uunet,sun}!practic!polstra!jdp Seattle, WA (206) 932-6482 -- -- John Polstra jdp@polstra.UUCP Polstra & Co., Inc. ...{uunet,sun}!practic!polstra!jdp Seattle, WA (206) 932-6482