home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
The Hacker Chronicles - A…the Computer Underground
/
The Hacker Chronicles - A Tour of the Computer Underground (P-80 Systems).iso
/
cud1
/
cud103c.txt
< prev
next >
Wrap
Text File
|
1992-09-26
|
6KB
|
111 lines
****************************************************************************
>C O M P U T E R U N D E R G R O U N D<
>D I G E S T<
*** Volume 1, Issue #1.03 (April 8, 1990) **
****************************************************************************
MODERATORS: Jim Thomas / Gordon Meyer
REPLY TO: TK0JUT2@NIU.bitnet
COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views.
--------------------------------------------------------------------
DISCLAIMER: The views represented herein do not necessarily represent the
views of the moderators. Contributors assume all responsibility
for assuring that articles submitted do not violate copyright
protections.
--------------------------------------------------------------------
***************************************************************
*** Computer Underground Digest Issue #1.03 / File 3 of 6 ***
***************************************************************
(Contributed by Ellis Dea)
The March 19, 1990 issue of The Scientist contains an article
titled "NASA Network Faulted for Security Gaps" (2, 12). An interesting
heading of the page twelve continuation of the article is "NASA Says Best
Defense Against Hackers is Prosecution" (12). The Scientist, as usual,
maintains its objectivity through the novel approach of supporting BOTH
sides of the issue. Although I find it difficult to raise ambivalence and
equivocation to the level of objectivity, the publication should at least
be commended for at least mentioning the faulty security, especially as
almost everybody reading this knows full well that the system password for
NASA's computer system was for a long time 3210 (cleaver? who would ever
think of trying that?).
SPAN (Space Physics Analysis Network) is an unclassified network on
which research scientists share information that is vital to their work.
Much of the information could be of general interest, but much of it would
be far over the head of the average "hacker." SPAN investigates every
violation of security, it says, but one wonders why. None of the alleged
incidents have resulted in any loss of data, thus proving that those who
did gain access illegally had no malice in mind. If they had resulted in
loss of data, however, I would strongly question why that information was
not backed up. Better yet, why is the information restricted at all? Why
not simply make this information available to the general public, perhaps
on a duplicate machine?
What is happening here is a conflict between the General Accounting
Office (GAO) and the people who are trying to maintain the computer system.
The GAO is pointing out, quite correctly, that they are doing their jobs.
NASA is countering that it is much better to prosecute than to prevent (not
quite in those words, but that is the point that emerges). The truth of
the matter is that those who are supposed to preventing unauthorized access
to the SPAN network are incompetent. The best way to cover up incompetence
is to hide behind some sort of moral or legal shield.
Actually, what the GAO says in its report makes perfect sense which
may be one reason why NASA is resisting it and posturing instead: "Suppose
a SPAN user at university X taps into the system and is connected with the
Johnson Space Center. And suppose he figures out how to bypass the files
he is pointed to and taps into another database. Could he cause
significant damage to that system is he tried to change it? And what's the
information worth? That's what we think NASA should be trying to find
out." Suppose the system is such that he could NOT cause significant
damage? Why worry about it then? Suppose the information is worthless?
Why bother? Why not try to find out? Because this "hacker" could cause
significant damage and NASA knows it. Furthermore, NASA is incapable, at
the present time, of preventing it. If NASA had enough brains, it would
hire some of these "hackers" as consultants and fix their systems rather
than expecting our penal system to do it for them.
At the present time, it seems that NASA is relying on the threat
of prosecution to prevent unauthorized access to SPAN. One of NASA's
arguments is that to increase security would make access more difficult.
Since their database is designed primarily for scientists, especially
astrophysicists, one can not expect them to make the system too complicated
and thus above the heads of their users, but one can expect at least of
modicum of expertise in these areas from them. Certainly, the threat of
prosecution seems absurd.
We can realize its absurdity by making a simple analogy to everyday
life. Of course, it may be considered a bit unfair by NASA for us to
expect them to take reality into consideration, but a bit of common sense
can not always be out of place. The situation seems to me analogous to
saying that we will no longer lock the doors to our homes or automobiles
when we leave them --we will henceforth rely on law enforcement to protect
our belongings. From now on, we will impose draconian penalties on anyone
who steals anything from us without our permission. We will cut their
fingers or hands off, castrate them, etc. Even under these conditions,
even with a tremendous influx of money for enforcement of these penalties,
I am sure that we would continue to lock our doors and I am somewhat
certain that even those speaking for NASA in this case would continue to
lock their doors.
If I could humbly offer a bit of advice to NASA: lock your doors.
Furthermore, if you find that a hacker has opened your door, why not seek
his advice on how to lock it better? Why not even sponsor some sort of
contest? See who does the best job of getting around your security (for
they will anyway) and reward that person. Or perhaps punish him by putting
HIM in charge of your computer security. He could certainly do a damn
better job of it than you are doing now and you could go back to your
research.
Downloaded From P-80 International Information Systems 304-744-2253 12yrs+