**************************************************************************** >C O M P U T E R U N D E R G R O U N D< >D I G E S T< *** Volume 1, Issue #1.03 (April 8, 1990) ** **************************************************************************** MODERATORS: Jim Thomas / Gordon Meyer REPLY TO: TK0JUT2@NIU.bitnet COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. -------------------------------------------------------------------- DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Contributors assume all responsibility for assuring that articles submitted do not violate copyright protections. -------------------------------------------------------------------- *************************************************************** *** Computer Underground Digest Issue #1.03 / File 3 of 6 *** *************************************************************** (Contributed by Ellis Dea) The March 19, 1990 issue of The Scientist contains an article titled "NASA Network Faulted for Security Gaps" (2, 12). An interesting heading of the page twelve continuation of the article is "NASA Says Best Defense Against Hackers is Prosecution" (12). The Scientist, as usual, maintains its objectivity through the novel approach of supporting BOTH sides of the issue. Although I find it difficult to raise ambivalence and equivocation to the level of objectivity, the publication should at least be commended for at least mentioning the faulty security, especially as almost everybody reading this knows full well that the system password for NASA's computer system was for a long time 3210 (cleaver? who would ever think of trying that?). SPAN (Space Physics Analysis Network) is an unclassified network on which research scientists share information that is vital to their work. Much of the information could be of general interest, but much of it would be far over the head of the average "hacker." SPAN investigates every violation of security, it says, but one wonders why. None of the alleged incidents have resulted in any loss of data, thus proving that those who did gain access illegally had no malice in mind. If they had resulted in loss of data, however, I would strongly question why that information was not backed up. Better yet, why is the information restricted at all? Why not simply make this information available to the general public, perhaps on a duplicate machine? What is happening here is a conflict between the General Accounting Office (GAO) and the people who are trying to maintain the computer system. The GAO is pointing out, quite correctly, that they are doing their jobs. NASA is countering that it is much better to prosecute than to prevent (not quite in those words, but that is the point that emerges). The truth of the matter is that those who are supposed to preventing unauthorized access to the SPAN network are incompetent. The best way to cover up incompetence is to hide behind some sort of moral or legal shield. Actually, what the GAO says in its report makes perfect sense which may be one reason why NASA is resisting it and posturing instead: "Suppose a SPAN user at university X taps into the system and is connected with the Johnson Space Center. And suppose he figures out how to bypass the files he is pointed to and taps into another database. Could he cause significant damage to that system is he tried to change it? And what's the information worth? That's what we think NASA should be trying to find out." Suppose the system is such that he could NOT cause significant damage? Why worry about it then? Suppose the information is worthless? Why bother? Why not try to find out? Because this "hacker" could cause significant damage and NASA knows it. Furthermore, NASA is incapable, at the present time, of preventing it. If NASA had enough brains, it would hire some of these "hackers" as consultants and fix their systems rather than expecting our penal system to do it for them. At the present time, it seems that NASA is relying on the threat of prosecution to prevent unauthorized access to SPAN. One of NASA's arguments is that to increase security would make access more difficult. Since their database is designed primarily for scientists, especially astrophysicists, one can not expect them to make the system too complicated and thus above the heads of their users, but one can expect at least of modicum of expertise in these areas from them. Certainly, the threat of prosecution seems absurd. We can realize its absurdity by making a simple analogy to everyday life. Of course, it may be considered a bit unfair by NASA for us to expect them to take reality into consideration, but a bit of common sense can not always be out of place. The situation seems to me analogous to saying that we will no longer lock the doors to our homes or automobiles when we leave them --we will henceforth rely on law enforcement to protect our belongings. From now on, we will impose draconian penalties on anyone who steals anything from us without our permission. We will cut their fingers or hands off, castrate them, etc. Even under these conditions, even with a tremendous influx of money for enforcement of these penalties, I am sure that we would continue to lock our doors and I am somewhat certain that even those speaking for NASA in this case would continue to lock their doors. If I could humbly offer a bit of advice to NASA: lock your doors. Furthermore, if you find that a hacker has opened your door, why not seek his advice on how to lock it better? Why not even sponsor some sort of contest? See who does the best job of getting around your security (for they will anyway) and reward that person. Or perhaps punish him by putting HIM in charge of your computer security. He could certainly do a damn better job of it than you are doing now and you could go back to your research.  Downloaded From P-80 International Information Systems 304-744-2253 12yrs+