Computer underground Digest    Sun Oct 4, 1992   Volume 4 : Issue 48

       Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET)
       Archivist: Brendan Kehoe
       Shadow-Archivist: Dan Carosone
       Copy Editor: Etaion Shrdleax, Esq.

CONTENTS, #4.48 (Oct 4, 1992)
File 1--Wes Morgan's on J Davis & Piracy (Re: CuD 4.46)
File 2--"Whose Internet Is It Anyway?" (Online! Reprint)
File 3--Implementing System Security

Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost from tk0jut2@mvs.cso.niu.edu. The editors may be
contacted by voice (815-753-6430), fax (815-753-6302) or U.S. mail at:
Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115.

Issues of CuD can also be found in the Usenet comp.society.cu-digest
news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of
LAWSIG, and DL0 and DL12 of TELECOM; on Genie in the PF*NPC RT
libraries; from America Online in the PC Telecom forum under
"computing newsletters;" on the PC-EXEC BBS at (414) 789-4210; and by
anonymous ftp from ftp.eff.org (192.88.144.4) and ftp.ee.mu.oz.au
Back issues also may be obtained from the mail server at
mailserv@batpad.lgb.ca.us
European distributor: ComNet in Luxembourg BBS (++352) 466893.

COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views.  CuD material may  be reprinted for non-profit as long
as the source is cited.  Some authors do copyright their material, and
they should be contacted for reprint permission.  It is assumed that
non-personal mail to the moderators may be reprinted unless otherwise
specified.  Readers are encouraged to submit reasoned articles
relating to computer culture and communication.  Articles are
preferred to short responses.  Please avoid quoting previous posts
unless absolutely necessary.

DISCLAIMER: The views represented herein do not necessarily represent
            the views of the moderators. Digest contributors assume all
            responsibility for ensuring that articles submitted do not
            violate copyright protections.

----------------------------------------------------------------------

Date: Mon, 28 Sep 92 10:10:41 EDT
From: morgan@ENGR.UKY.EDU(Wes Morgan)
Subject: File 1--Wes Morgan's on J Davis & Piracy (Re: CuD 4.46)

In CuD #4.46, Jim Davis writes:

>First, the reality of software production in the late 20th century is
>much different than this image. Most software production is NOT a
>cottage industry.

Agreed, but that doesn't really change my arguments very much.

>The industry has quickly matured in the past few
>years into a typical monopolized industry. Most patent filings are by
>corporations. Most software is not purchased from the individuals who
>create the software, it is purchased from companies who have required
>their engineers to sign away any rights to whatever they come up with,
>AS A CONDITION OF EMPLOYMENT. So IN MOST CASES, the creator has been
>separated from the results of his or her creativity.

Isn't this true of almost any commercial concern?  Toyota engineers
sign away their rights to the design of the 1993 Camry, and contribu-
ting editors sign away their rights to their editorials in the Lexington
Herald-Leader (if printed, unsigned, as the opinion of the paper).  Yet,
these individuals still profit from their work; the engineers will receive
raises/bonuses if their designs are commercially successful, and the editors
of the Herald-Leader receive greater compensation if the paper's subscrip-
tions increase.  What's the difference?

>But the image of
>the sole-proprietor hacker is raised up as a shield by the software
>industry -- the public can take pity on the "defenseless" hacker;
>people don't take pity on a Microsoft or an IBM.

It isn't a question of "pity", nor have I advanced it as such.

My argument is very simple.  You do not have the moral, ethical, or legal
right to take someone else's explicit design (be it computer software, a
piece of sculpture, or a 1993 Camry), duplicate it, and give the copies away.

>Here we get
>to the heart of the matter -- we're really talking about the "rights"
>of software corporations here; not the hacker, not the consumer, and
>not society.

So, the people who constitute a corporation are now in a separate class?

>Nowhere do I argue that the people who write software should not be
>compensated for their effort. Of course people should be compensated!

You say that people should be compensated, yet you wish to remove their
largest/best-protected source of compensation -- contract royalties from
legitimate purchases.

>The question is how, and how much.

"how much"?  This almost sounds like a thinly disguised slam on software
prices........

>Paycheck dollars from a
>corporation, a university, a cooperative or the government all spend
>equally as well.

Of course, one's paycheck is usually proportional to the success of
one's efforts.  I can't imagine anyone increasing an employee's pay
for "good societal benefits" of their work (with the exception of
the fine people in the social work careers, of course....).

>But the social benefits from the programmer's efforts
>are constrained by forcing them through the legal contortions of
>intellectual property rights and private ownership.

If the programmer (or corporation) wants to reap social benefits, they'll
place the program in the public domain (or provide 'student editions', or
educational pricing, etc.).  It's *their* choice, not yours.

>The model that we
>have been using is private speculation for private gain, made possible
>via exclusive monopolies granted by the government, enforced by law. I
>am saying that other successful models exist and have generated useful
>products.

Many such models exist; however, you would force everyone into the same
model.  Neither of us can dictate models to the developer.

>The subtext in the "I deserve a reward" argument is that
>someone who comes up with a really useful idea should get a special
>reward. Fine. I have no problem with public recognition of significant
>contribution, even including a cash award. Again, this doesn't
>_require_ intellectual property rights.

I can see it now -- "You've written a wonderful program!  Here's a one-
time cash award of $XXXX, and we're going to spread your program around
the world, let other people use it to make more money, and you won't reap
any further benefit from it."

>Morgan says that
>"*companies* create for financial gain" (which I certainly agree
>with), but puts this forward as if the protection of *their* financial
>gain somehow justifies the rest of us having to suffer under
>intellectual property rights.

Let's try a parallel (this usually degenerates into a flamefest, but...):

   - You (Mr. Davis) write a book entitled "Intellectual Property in the
     Information Age"
   - Prentice-Hall, in their wisdom, deems it worthy; a First Edition is
     prepared, published, and placed on sale.
   - I purchase one copy, duplicate it 500 times, and distribute it to
     a conference *without your permission*.
   - Your book is included in the conference Proceedings, and is made
     available to the public; again, neither you nor PH recognize any
     compensation.

Can you honestly say that neither you nor Prentice-Hall will be concerned?

I have found that many people (NOT, necessarily, Mr. Davis) who argue against
intellectual property rights have never been in a position to earn compensation
from their personal work(s).  I have been in such a position, and it definitely
changes one's opinions.  (While my experience in this area does not lie within
the realm of computer software, I believe that my experience is valid.)

>Corporations are not necessary for the
>generation of the software we need.

That's well and good; you (and anyone else) is quite free to design,
implement, test, debug, document, and distribute any software you wish.

>Harlan Cleveland, .....wrote.....:
>"Is the doctrine that information is owned by its
>originator (or compiler) necessary to make sure that Americans remain
>intellectually creative?" He answers in the negative, citing the
>healthy public sector R&D efforts in space exploration, environmental
>protection, weather forecasting and the control of infectious diseases
>as counter examples.

Hmmm....."space exploration" == "NASA"
         "environmental protection" == "EPA"
    "weather forecasting" == "NOAA"
    "infectious diseases" == "PHS/HHS/CDC"

"public sector" seems to melt into "government agencies".  If you (or
Mr. Cleveland) can provide examples of such work which are outside the
governmental realm, I'd like to know about it.  Of course, a great deal
of university research takes place under government grants; we might
even argue that universities are another arm of the government in this
respect.

I'm not familiar with any large-scale research which is truly in the
"public sector".

>Fourth, the notion of a solitary inventor is a popular falsehood.  No
>one creates in a vacuum.

Agreed.

>The programmer's skills and creativity rest
>upon past inventions and discoveries;

This is true of almost any invention, discovery, or creation; would you
apply your arguments to cars, calculators, or novels?  Heck, most musical
compositions are based on the ancient notions of scales, keys, and modes;
would you throw *all* music into the public domain, too?

>publicly supported education;

It is quite possible to complete one's education without setting foot
in a "publicly supported" school.

>the other people who produced the hardware, the manuals and textbooks
>and the development tools; as well as the artists and accompanying
>infrastructure who may have inspired or influenced the programmer.

You're absolutely correct, but it's still the programmer's invention
that made it possible.

>In
>this sense, the developer's product is a social product, and
>consequently should redound to the benefit of all of society.

Again, are you willing to apply this notion to *every* invention,
development, or creation?  I still don't believe that computer
software is inherently different from any other medium.

>The
>practical problem of compensation for effort and reward for
>outstanding achievement can be addressed outside of "intellectual
>property rights."

I'd like to see some concrete ideas about the implementation of this
"compensation....and reward".  You've mentioned it several times, but
you haven't presented any practical implementations.

>The public
>is already heavily involved in software production, but as is too
>often the case, the public finances something, and then turns it over
>to private corporations to reap all of the profits from it.

1) The "public" doesn't have to "turn it over" to the private sector.

2) Most programmers who develop something on their own (as opposed to
   "staff programmers" at a software company) usually recognize compen-
   sation in either lump-sum payment(s), increased salaries, or royalties.

3) If I decide to market my own software product, haven't I just become
   one of your much-villified "private corporations"?

>Re: my point that intellectual property rights prevent intellectual
>effort, including software development, from maximizing its social
>benefit: If a copy of Lotus 1-2-3 does have use for people, and people
>are prevented from using it (e.g., because of the price barrier), then
>its potential benefit is constricted.

You didn't address my mention of "public access" computing sites, such
as those found in many schools and public libraries.  It would seem that
this growing "public access" facility would render your "price barrier"
irrelevant.

>Mr. Woodhead says that no companies specialize in educational
>software. If this in fact is the case, then this only reinforces the
>argument for the necessity of some sort of social or public or
>community (or whatever you want to call it) funding of educational
>software development.

Just go ahead and say "government funding"; you've been hinting around
the phrase for several paragraphs.

>Re: Mr. Morgan's notion of more aggressively extending patents to
>software: it's already taking place.

Good; I'll look at the references you mentioned.

>17 years (typical for
>patents) is an eternity in the evolution of software (as is 10 or 20
>years, as suggested by Mr. Morgan).

OK, let's change it to 5; we're speaking rhetorically, right?  8)

>As a sidenote, even the SPA has
>opposed software patents.

Of course they oppose it!  It cuts into their profits!  I've never
said that current pricing is fair.......

>Re: fair use -- the point I was trying to make is that the concept of
>"fair use" has EVOLVED and EXPANDED with increasing ability to easily
>duplicate various media.

How, exactly, has it "evolved and expanded"?

>"Taping of television programs for personal
>use appears to have become accepted as fair use of copyright material.

"appears to have"?  It was explicitly affirmed in several court decisions.

>The
>rationale of the court must have been the unlikely efficacy of trying
>to put Pandora back into the box and the fact that no commercial use
>of the tapes was either alleged or documented."

Bingo!  The "personal use" factor was a determinant in each decision.
You'll notice that the courts did NOT affirm any redistribution rights,
either for-profit or for free.....

>The point is that legal constructs like "fair
>use" are not brought to us by Moses -- they are determined by the
>balance of social forces through legal, political, economic and other
>forms of struggle. And therefore they are something which we can
>affect.

Agreed!

I would enthusiastically support a "free for educational purposes" waiver of
licensing.  I'm the Systems Administrator for the UK College of Engineering;
we spend a great deal of money on licenses, and some vendors have my undying
gratitude (Swanson Analysis, MathWorks, and CADKEY, are you listening?).

Let me ask you a simple question:

You have championed (and rightfully so) the cause of "educational computing";
you've used education as a bulwark of your arguments.  However, would you
voluntarily restrict your use of "free software" to educational purposes?
If WordPerfect gave you 10 copies for your class, would you use it to write
your next book?  Would you sell that book?

>From: peter@FICC.FERRANTI.COM(Peter da Silva)
>Subject--File 2--Response to Davis/Piracy (1)
>
>Re: Wes Morgan's article in CuD #4.43
>
>I largely agree with most of his arguments, but I would like to point
>out one mistake... he says:
>
>  "The whole concept of copyrights ... is based on the notion
>   that the creator ... is entitled to some compensation for his
>   effort"
>
>This is just not true. The whole concept of copyrights and patents in
>the United States is based on the notion that by making intellectual
>property a salable commodity subject to market forces, more and better
>intellectual property will be created and it will be distributed more
>freely.

Absolutely!  I think we said the same thing; I just didn't extend my
statement far enough.  (My statement was based on my experience in
more "artistic" fields, namely music; the market forces Peter mentions
are less dominant in that field.)

Thanks for clarifying, Peter.

>And, you know what, it works. There's no better refutation, nor need
>there be a better refutation, of the argument that piracy promotes
>openness. It doesn't. It promotes encrypted software, dongles, and
>trade secrets. It discourages publication. It reduces the incentive to
>create viable products of commercial quality. These are not the result
>of intellectual property laws, they're the result of the failure to
>enforce intellectual property laws.

Breakaway!  Shot!  Goal!

Well said.

>From: "Michael Stack" <stack@STARNINE.COM>
>Subject--File 3--Response to Davis/Piracy (2)
>
>They both seem to view copyright and
>patents as a system guaranteeing a right to profit overlooking the
>original constitutional intent to "promote the progress of Science and
>the useful Arts."

Here's the relevant citation:

[Article I, Section 8, US Constitution]

...To promote the progress of science and useful arts, by securing for
   limited times to authors and inventors the exclusive right to their
   respective writings and discoveries;

We may argue that the current implementation of copyrights and patents
is in need of overhaul/modification, but you cannot evade the Constitutional
"exclusive right" for inventors and authors.

I'd also argue that the very presence of hundreds of software companies
validates the "progress of science and useful arts"; I receive informa-
tion on new software releases on an almost-daily basis.

>To be able to accuse someone of stealing or to claim something
>as property (and to subsequently grant licenses on how this property
>is to be used) implies there exists rights of ownership in the first
>place.   The crux of Mr. Davis's article questions this right.  The
>respondents by-pass this altogether.

I didn't bypass it at all; in fact, my entire argument is based on
the premise of "I made it, and it's mine!".  8)

>Their articles are but
>explanations of the existing order in case we didn't already
>understand.

The "existing order" is entirely Constitutional.  Mr. Davis' questions
bypass the Constitutional provisions of "exclusive rights" for creations
and inventions.  Would you support a Constitutional amendment to revoke
those "exclusive rights"?

Keep in mind that any such action would invalidate *all* trademarks,
copyrights, and patents.  None of the parties in this discussion have
provided justification for applying different standards to computer
software, so it's in the same boat as any other "writings and discoveries".

>The fact that "alls not well in the state of Denmark"
>in itself punches large holes in the system the two respondents
>defend.

>Both belittle the spectre of "police state" raised by Mr. Davis.
>Amazingly, this is done within the pages of a publication which has
>spotlighted many instances of "police-state" behavior: doors
>kicked-in in the early hours of morning, guns drawn, threats,
>equipment confiscated (permanently?), "guilty till proved innocent,"
>etc.

I didn't "belittle" the police-state notion at all!

Of course, those are matters of criminal law, not copyright infringement.
I have yet to hear mention of such a "police state" approach to copyrights.

>--On the one hand you argue "If I pour 4 years of my life into the
>development of SnarkleFlex, I DESERVE to profit from it"  but then you
>append a caveat which undoes this assertion "(assuming that people
>want to purchase/use it)."  Doesn't this condition make your
>capitalized assertion self-destruct?

How about "I deserve the OPPORTUNITY to profit from it"?

>Do you deserve to be rewarded
>for your work, yes or no,  or is it to be let dependent on market
>caprice?

Market caprice, absolutely!  That's the basis for ANYONE's living; one
must provide a service (or goods) which people need or want.  If there
is no market for your skills, you get to find another job.  That's self-
determination.

>--You ask "Would you make a copy of Webster's Dictionary and give it
>to a friend?" and you sport(!) "Xerox(tm)[ing] your entire printed
>library for me..." "...would be just fine, right?"  Yes, it would --
>if the library and dictionary were in a readily distributable form and
>the copy cost me near nothing i.e. in digital form.  I'd be happy to
>give you a copy.   I could give it to anyone.  As to how I'd have a
>library in the first place we can discuss (perhaps outside of this
>forum).

"how I'd have a library......we can discuss.....outside of this forum"?

Oh, my!  Let's translate this a bit.....

   "Sure, I'll give you a copy; just don't ask where I got it."

>Michael Goldhaber in his book Reinventing Technology states "Since new
>information technology includes easy ways of reproducing information,
>the existence of these [intellectual property] laws effectively
>curtail the widest possible spread of this new form of wealth."

Your alternative is anarchic, is it not?  I'll ask you a simple question,
one for which no one has provided a suitable answer:

   If I choose to make my living as a software author (either "on
   my own" or as part of a company/corporation), how will your
   proposed "freedom of information" help me earn a living?  Will
   it, in fact, hinder me in earning a living?

--Wes

------------------------------

Date: Thu,  1 Oct 92 08:58:29 EDT
From: Rich=Gautier%SETA%DRC@S1.DRC.COM
Subject: File 2--"Whose Internet Is It Anyway?" (Online! Reprint)

This entire article was re-typed by Richard A. Gautier
(RG%SETA%DRC@S1.DRC.COM).  If there are any SPELLING errors, they are
probably his.  If there are grammar errors, they are Dr. Grundners, or
the editors.  Mr. Gautier HAS obtained permission to electronically
disseminate this article from ngarman@tso.uc.edu who represents ONLINE
magazine.  Her comment was that this article really does belong in the
electronic (Internet) forum, and that it was really a shame that I had
to ask with an article like this.

            "WHOSE INTERNET IS IT ANYWAY? -- A CHALLENGE"
                          By Dr. Tom Grunder
           From--Online! Magazine, July 1992, pp. 6-7, 10.

    It began innocently enough.  I was rummaging around the Internet
looking for some NREN information to include in a proposal I was
writing, when I came across a rather one-sided "debate."

    It was a string of messages written mostly by people from academic
computing centers bemoaning the fact that NREN _might_ be made
available to K-12 schools, businesses, libraries, and (horror of
horrors) even to the general public.  They were beside themselves.
"The Internet and the NREN are supposed to be for academic and
research purposes," they said.  "What's going to happen if we allow
all these other people on?  There's not going to be enough bandwidth.
Transmission time will suffer.  Before you know it, the NREN is going
to be just as bad as the Internet is now."

    As the messages came in, their outrage seemed to build.  So did
mine.

    Finally I came across a message that simply read: "Why should we
let them use it at all???" and suddenly the terrible mistake we've
been making became clear.  We in the non-university networking
community have been framing the wrong issue.

    Until now, the issue has been whether K-12 schools and community
users are going to have access to the NREN.  It should have been
whether K-12 and community users are going to
_allow_the_academic_centers_ to access the NREN.  Somehow we had
gotten our priorities crossed.

    Who do they think is _paying_ for all this?  When the NREN comes
online, the money to build it will be coming from that apparently
forgotten group of people called "taxpayers."  Who do they think is
paying for the current Internet backbone?  The National Science
Foundation?  Wrong!  It's the taxpayers.  Who do they think is paying
for those mid-level networks, and for the high-speed data lines to
connect their colleges to those networks, and for the nice
high-powered servers that makes the connection so easy?  Do they think
that money is coming from good ole Siwash State U.?  If so, then who,
pray tell, is funding Siwash State?  Right again.  Taxpayers!

    So now we come along, with hat in hand, begging for permission to
have minimal access to the Internet and to be a part of NREN.  Why?
So we can set-up K-12 networks that will allow the _taxpayers'_ kids
to learn the information age skills they will need to be competitive
in the 21st century.  So we can provide the _taxpayers_ access to
electronic mail, government information, and other resources via
libraries and community computer systems.  So we can provide some
piece of the information age to the people who paid for it in the
first place!  And the academics treat us like beggars in a subway
station.

    _Absurd!_ Absurd, but not surprising.

    To understand this attitude, you have to keep in mind that, in
most locations, these university computing centers are designed for
the people who work there plus 35 of their buddies.  No one else -
including the other students and faculty on their own campuses - need
apply.  In most locations, students or faculty members seeking to use
the Internet are given a blinking cursor that dares them to come up
with some combination of nonsense syllables to make it do something.
That's it.  No help.  No training.  No assistance.  Nothing.  It is
not surprising that the idea of letting the community have access to
this preciously guarded resource would send chills up their spines.

    But, in many ways, we in the non-academic computing circles have
made our share of mistakes as well.  Not only have we been apologetic
in our claims to this national resource, but we have engaged in what I
call the "Balkanization" of the information age - the fragmentation of
our efforts into dozens of competing networks and special interest
systems.  We should be working toward a common framework with enough
"conceptual bandwidth" to include everyone.

    As a function of developing my organization, the National Public
Telecomputing Network, I am asked to speak at a lot of conventions and
conferences; and what I find at those meetings has become quite
predictable.  Everyone is excited about computer networking.  When I
go to a K-12 convention; everyone is talking about K-12 networks.
When I go to a library conference; everyone is talking about library
networks, and so on - all in direct competition with each other.

    It doesn't make sense.

    Let's say you are proposing a statewide network that will link
your libraries together, complete with Internet connections - the
whole bit.  And let's say you take it to your state capital and,
amazingly enough, you get it funded.  Now, what happens if a month
later the K-12 people (or someone else) shows up with a proposal to
fund their network; or worse, what happens if they get there a month
_before_ you?  Some one must lose; it is inherent in that kind of
competitive process.

    But our mistakes do not end with the competition for monies.  They
run deeper than that.  We have also failed to come up with a
comprehensive plan to show how any of our ideas fit together.  Let me
use the K-12 initiatives as an example.

    I have seen a number of proposals going around that (depending on
the proposal) would provide every school in the city/state/country
with a connection to the Internet - so every child will have access to
the information resources to be found there.  That's fine.  In fact,
on the surface, it sounds wonderful.

    But what happens _after_ the student graduates from high school or
college?  Do we toss him or her out into a world where those resources
are utterly unavailable?  If so,
_what's_the_point_of_training_them_on_the_resources_
in_the_first_place?  It's like having mandatory driver education in a
world without cars!

    It doesn't make sense.  We create plan after plan, proposal after
proposal, with no common conceptual framework to tie them together.

    I believe we must start developing our programs in the context of
community-wide information systems.  The guy who runs the corner gas
station (and who was in a K-12 class only a few years ago) should have
at least as much information access as the K-12 students who are in
class right now.  But we can't do that; we can't achieve it; unless we
can band together somehow to speak with one voice.

    And...we need leadership.

    Where is that leadership going to come from?  One logical source
is the library community.  But I don't see that happening.  What I see
is a profession divided.  Half the librarians I've talked to see this
network technology as exactly the kind of thing libraries should be
embracing; and the other half (usually higher-level officials) see it
as the work of the devil - with no detectable middle ground.

    We can't continue without leadership, without a plan, and in
direct competition with each other.  Perhaps what is needed is a plot
of ground that stands outside existing territory, a place where
everyone can stand, and around which we can all rally.

    Let me try out an idea on you.

    Suppose a super-fund was created for the development of a
nationwide network of computerized community information systems.
These systems would be free to the user in the same sense that the
public library is free to its patrons.  Of equal importance, each of
these systems would have a place on them for the library community,
the K-12 community, the medical community, government officials, and
anyone else who wanted to use it.  In addition, each system would be
linked by, and would provide its users with controlled access to, the
Internet/NREN.  From a technological standpoint, there are no barriers
to the development of these systems.  Indeed, there currently exist
several pilot systems that are already accomplishing all the above and
more.

    How would we fund it?  One way would be to ask every Regional Bell
Operating Company to contribute, along with every high-tech
corporation, the federal government, every state government, every
major city, and every major foundation.  If necessary, we would
approach the various state Public Utility Commissions to ask that a
surtax be placed on phone company data line profits.  The fund would
be charged with developing a minimum of 100 community computers
covering all 50 states by the year 2000.  Initial cost would be about
$30 million dollars.

    Could it be done?  Without any doubt, yes.  We've done it before.
    Most people do not realize that 100 years ago there was no such
    thing as the public library as we know it.  But we reached the
    point in this country where literacy levels got high enough (and
    the cost of producing books cheap enough) that the public library
    became feasible.  People across the country began to come together
    around the idea of free public access to the printed word; and the
    result was a legacy from which everyone reading this article has
    benefitted.

    What I am saying, is that in this century _computer_ literacy
levels have gotten high enough (and the cost of computer equipment
cheap enough) that it is time from a similar movement to form around
the development of free public-access computerized community
information systems.  It is time for us to stop being apologetic, and
to stop competing wih each other.  In short, it is time for us to
leave a legacy of our own.

    Do you see what I am saying?
    Would you support such a plan?  I mean, would you support it
    personally?
    Would you work for it?
    Would your company or institution support it?
    Would they contribute to it?  If so, let me know.

    Send me electronic mail, send me snailmail, but let me know.  The
key here is not the technology, that's already in place, it is "wil."
Do we have the will to do it?

    The issue is no longer _whether_ we will enter an information age.
That part has been settled.  We have.  What is at issue is whether the
information age is something that happens _to_ us, or something that
happens _for_ us.

    Fortunately, that decision still remains in our hands.

++++++++++++++++

    _TOM_GRUNDNER_ is the president of the National Public
Telecomputing Network, and the founder of the Cleveland Freenet.  The
freenets are community information systems, located in several Ohio
communities and in Peoria, Illinois.  A column in DATABASE (April
1988, pp. 97-99) by Steve Cisler describes the Cleveland Freenet in
its early stages.

    Communications to the author should be addressed to Dr. Tom
Grundner, National Public Telecomputing Network, Box 1987, Cleveland,
OH 44106; 216/368-2733; Internet-aa001@cleveland.freenet.edu;
 BITNET-aa001%cleveland.freenet.edu@cunyvm. (Editor's Note: Write to
Tom Grundner, or write to ONLINE (ngarman@tso.uc.edu), to answer this
challenge and comment on this controversial issue facing the library
and online community.  ONLINE will publish as many notes and letters
as we have room for in coming issues.  --NG)

------------------------------

Date: 25 Sep 1992 11:07:31 -0700 (MST)
From: RayK <KAPLAN%UAMIS@ARIZVMS.BITNET>
Subject: File 3--Implementing System Security

  Toward the Implementation of a System and Network Security-Related
        Incident Tracking and Vulnerability Reporting Database
                            by Ray Kaplan

Consider the need for a system and network security-related incident
tracking and vulnerability reporting database (herein referred to as
ITVRD for convenience).

Such a database might be a relational combination of reported
vulnerabilities and incidents that could answer queries such as "show
me recorded instances of compromise for version xxx of operating
system yyy on zzz hardware" or "show me a list of known
vulnerabilities of the login sequence for version xxx of operating
system yyy on zzz hardware" or even, "show me a list of reported
compromises of version AAA of third party product BBB  running under
version xxx of operating system yyy on zzz hardware".  We might even
be able to ask "show me known instances of password guessing attacks
on version xxx of operating system yyy on zzz hardware at banks."

It is widely known that the flow of security-related information is
carefully controlled and that such information is not readily or
widely available to those who need it to protect their systems and
networks.  There is plenty of information available - but, its
availability seems limited to the underground.  While this apparently
serves those who know and control this information, but it does little
to help those who are trying to protect their systems and networks.
Security by obscurity is widely known to be a flawed concept.  My
argument would be that this game of security incident/vulnerability
tracking is a lot like dealing with the AIDs crisis.  If we don't
start talking openly about it, we are all in trouble(1).

While some of the various computer incident handling capabilities do
an excellent job of distributing SOME significant vulnerability and
incident information publicly(2), VERY LITTLE detailed information
gets disseminated in comparison to the number of known vulnerabilities
and known incidents.  In addition, those who are not connected to the
Internet have a difficult time staying abreast of those incidents that
are reported.  Worse yet, I speculate that the majority of systems and
private networks that exist in the world today are simply not even
tapped into the meager flow of security-related information that does
exist.

I believe that this sad situation is due to the politics of security
vulnerability information between vendors in the market(3), and an
inherent desire to control the distribution of this information by the
portion of the security community that has placed themselves in charge
of it.  As proof of this, consider that prototypes of system and
network security-related ITVRDs are known to have been funded by the
government, but were stopped when the funding agency wanted to
classify the effort making it publicly inaccessible(4).  What we - as
a community - are left with is an odd situation where the best
collections of vulnerability information are to be found only on the
clandestine sources of the world's underground computer community.

At this writing, the Defense Advanced Research Projects Agency's
(DARPA) Computer Emergency Response Team (CERT) is reporting on the
order of 3 incidents per day, but we - as a community - hear very
little about the exact nature of these problems, how they can be used
against our systems or their fixes. While the relatively new Forum of
Incident Response and Security Teams (FIRST) is working on the
problems associated with the design and implementation of a ITVRD,
their discussions are carefully restricted to their members and this
topic has been under discussion for quite a long time with no
apparent movement.  In addition, most of us are not members of FIRST,
so we can't contribute to the discussions even if we wanted to do so.

Since I know that the formation of a widely available ITVRD is a very,
very emotional issue in the security community and since I am not
willing to suggest that I have the best design and implementation plan
for it in mind - I'm simply throwing the question out into the
community for an open, vigorous debate: how can a system and network
security-related ITVRD be implemented - or should it even be
implemented?  Based on my recent, unsuccessful experiences in trying
to get members of the legitimate security community at large to talk
to members of the world's computer underground, I have decided that it
is not prudent for me to proceed with the design and implementation of
a ITVRD until some consensus in the community is reached about how -
or even if - such a thing should be done.

As a seed for the debate, here are some of the questions surrounding
the implementation of a ITVRD that I think need vigorous discussion by
the community.  Please consider them carefully and offer us your
thoughts.  Post your reply to this channel or send it to me at any of
the addresses below and I will collect it, combine it with others that
I receive and report it in some regular manner which is yet to be
determined.

A Myriad of hard questions:

What of the morals and ethics questions that surround the
establishment of a widely available ITVRD?  While this is not a new
idea(5), we are talking about the morals and ethics of making an ITVRD
available to anyone who wants access to it.  This necessarily includes
those that are not members of the legitimate security community.  Even
though information such as that which an ITVRD would hold is readily
available now, it takes a lot of time and energy to find it. An ITVRD
would make incident and vulnerability information trivially available

to anyone who wanted it.

How should an ITVRD be accessible?  Should it be a database on the
network that can be accessed by simply sending a well-formed query via
electronic mail to a database server?  Should an ITVRD allow
interactive access?  Should it be available via a toll-free, 1-800
number?  A pay per-call, 1-900 number?

Since it has its own very well-developed channels of communication,
why would the underground even care to contribute to such an ITVRD?
Would a widely accessible ITVRD threaten or replace popular
underground publications like Hack-Tic or 2600?  Would the underground
be happy with attribution for the holes that they find?  Would the
contributors to an ITVRD even want to be identified?

Should a subscriber-based ITVRD pay its contributors for their
submissions? If so, on what basis and how much?  Should it be
available to those that want to passively access it without
contributing to it?  Should this access be on a subscription basis?
If so, does such a subscription service need some sort of
authentication to restrict access to only legitimate, paid
subscribers?

Should the contents of an ITVRD be exactly what is submitted to it, or
should submissions to it be edited and/or verified for authenticity.
If editing, verification and authentication of submissions are to take
place, who should do this and under what rules should it be done?  In
recognition that many organizations do not currently report their
security problems, should anonymous submissions be allowed?

Should such an ITVRD be in the public domain or should it be private
property.

Where should an on-line ITVRD be maintained?  Should it be located
outside the traditional boundaries of countries that would restrict its
availability?

I am sure that I have missed many, many important questions.  Please
contribute to this discussion.

Electronic mail:Internet - kaplan@mis.arizona.edu
BITNET - KAPLAN@ARIZMIS

Snail mail:
Ray Kaplan
P.O. Box 42650
Tucson, AZ  85733-2650
FAX - (602) 791-3325

This has been posted to:

Some common Network Newsgroups, and the DECUS DECUServe bbs.Several of
the world's underground publications: 2600 and HacK-Tic.Selected
members of the security community.

Please feel free to re-post this anywhere you see fit - it is hereby
released into the public domain. If you post it somewhere - please let
me know where you put it so I can try and track the discussions - I'd
like to do a summary of it all one of these days.

In advance, thanks for your time and consideration.  Since I know that
the ire of powerful forces in the security community may be stirred up
by the idea of publically discussing the design and operation of an
ITVRD, I only hope that a reasoned exchange of ideas will follow.

++++++++++

(1) I get into some interesting discussions with people who argue that
secrecy is the best course of action.  For instance, while splitting
hairs on the tough subject of when you begin (of if there even should
BE) sex education, there is an argument that says educating very young
people about their sexuality will induce them to experiment where they
otherwise might not do so.  In my view, this is similar to discussions
that I have with those that oppose the implementation of an ITRVD.
There are those that say the mere availability of an ITRVD will cause
more incidents.  In the face of this criticism, I say that while this
may be true, at least system and network managers WILL have a
reference for this information where currently there is none.  Just
think, the formation of an ITRVD may lead to vendors actually shipping
a document that describes the known vulnerabilities of their systems
to their customers.  Sort of like the warning from the surgeon
General's warning on alcohol and tobacco products?

(2) Of note here is the Defense Advanced Research Projects Agency's
(DARPA) Computer Emergency Response Team (CERT).  While these
consummate professionals do an excellent job of distributing incident
and vulnerability-related information to the Internet community, not
nearly enough is being done.

(3) While it is clear that there are vulnerabilities which affect many
vendors, there is evidence to suggest that some vendors in the
incident response community don't acknowledge those reports by other
vendors which clearly affect their own systems - let alone reporting
all of the vulnerabilities of their own systems.

(4) References available if you'd like them.

(5) There most certainly are ITVRDs currently being maintained in
various places.

------------------------------

End of Computer Underground Digest #4.48
************************************