Path: utzoo!attcan!utgpu!watmath!iuvax!silver!hughes From: hughes@silver.bacs.indiana.edu Newsgroups: comp.protocols.tcp-ip Subject: Re: the worm and internet security Message-ID: <44500004@silver> Date: 11 Aug 89 14:42:00 GMT References: <11042@multimax.encore.com> Organization: Indiana University CSCI, Bloomington Lines: 50 Nf-ID: #R:multimax.encore.com:-1104200:silver:44500004:000:2506 Nf-From: silver.bacs.indiana.edu!hughes Aug 11 09:42:00 1989 jdp@polstra.UUCP writes: > One of the problems that surfaces over and over in this forum is the > fact that the major vendors don't bother to fix the known security > problems in their products. The reason they don't fix these problems > is that they don't have much motivation to do so. I would like to > suggest a way to provide the missing motivation. > > Somebody (the DoD, a major university, or an interested member of the > press) ought to organize an annual competition, in which each of the > vendors would try to crack its competitors' systems. A mini-network > would be set up, and each vendor's tiger team would try to crack as > many other systems in as many ways as possible during some fixed time > interval. The results would be published openly so that potential > customers could take security issues into account when choosing > vendors. > ... I see your point, but I have a few comments. First, this assumes that the "tiger teams" would each stand on equal footing, which is probably not the case. If this approach were to be taken, a more effective approach might be to have an impartial third party try to break each system. Second, I know people who are excellent at breaking programs, yet are not very good at designing or implementing programs. And an operating system is, after all, just a collection of programs. Third, and to me more important, I think this type of competition would do more harm than good. We can motivate others by rewarding or punishing them, and there is a place for both. But to rely more on punishing will certainly take the heart out of the industry...which is already suffering enough from fierce and greedy competition. In other words...shouldn't our motivation as programmers to produce a quality product be coming more from an internal inspiration, rather than from a fear of what others will say or think? /=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\ || Larry J. Hughes, Senior Programmer || hughes@silver.bacs.indiana.edu || || Indiana University || hughes@iujade.bitnet || || University Computing Services || || || 750 N. State Road 46 Bypass || "The person who knows || || Bloomington, IN 47405 || everything has a lot || || (812) 855-9255 || to learn." || \=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=/