Path: utzoo!utgpu!watmath!att!pacbell!ames!amdcad!weitek!practic!polstra!jdp
From: jdp@polstra.UUCP (John D. Polstra)
Newsgroups: comp.protocols.tcp-ip
Subject: Re: the worm and internet security
Summary: Stage a Contest
Message-ID: <1140@polstra.UUCP>
Date: 7 Aug 89 19:48:47 GMT
References: <8907280211.AA09340@asylum.sf.ca.us> <8908062210.AA11042@multimax.encore.com>
Reply-To: jdp@polstra.UUCP (John D. Polstra)
Organization: Polstra & Co., Seattle
Lines: 46

One of the problems that surfaces over and over in this forum is the
fact that the major vendors don't bother to fix the known security
problems in their products.  The reason they don't fix these problems
is that they don't have much motivation to do so.  I would like to
suggest a way to provide the missing motivation.

Somebody (the DoD, a major university, or an interested member of the
press) ought to organize an annual competition, in which each of the
vendors would try to crack its competitors' systems.  A mini-network
would be set up, and each vendor's tiger team would try to crack as
many other systems in as many ways as possible during some fixed time
interval.  The results would be published openly so that potential
customers could take security issues into account when choosing
vendors.

The vendors would be doubly motivated to keep abreast of all known
security weaknesses.  First, they would be looking for ways to
embarrass the competition.  Second, they would be trying to minimize
their own vulnerability as much as possible.

The press would love it, because security issues sell newspapers these
days.  Also, members of the press IMHO get a charge out of embarrassing
people and (especially) corporations.

There would be no need to openly publish the methods used for breaking
into systems, so the rest of the Internet would not need to worry about
zillions of evil computer hackers suddenly finding out how to mess with
their systems.  On the other hand, the rules could require that vendors
share their successful methods with the manufacturers of the systems
that were defeated by them.  (This could be part of the process of
validating a break-in.)

If the competition were held periodically, say once or twice a year,
then one could also keep track of weaknesses which had been previously
exposed and remained uncorrected.

Comments, anyone?

-- John Polstra               jdp@polstra.UUCP
   Polstra & Co., Inc.        ...{uunet,sun}!practic!polstra!jdp
   Seattle, WA                (206) 932-6482
-- 

-- John Polstra               jdp@polstra.UUCP
   Polstra & Co., Inc.        ...{uunet,sun}!practic!polstra!jdp
   Seattle, WA                (206) 932-6482