Aucbarpa.982 net.followup utcsrgv!utzoo!decvax!ucbvax!ARPAVAX:arnold Thu Mar 11 15:50:50 1982 Security and user environments The greatest advance in security here at Berkeley (and what lead to the fact that the security bug "discovered" here wasn't exploited (much)) had nothing to do with software, but with the attitude of the persons involved in runnig the system here. I will elaborate, but names will be left out. The last system manager we had for our main undergraduate computer acted in a paranoid fashion. He used more resources adding snooping frobs into the system and using them than in improving the system. During this time, of course, there was an underground, and several people broke into the system. Most of the use wasn't malicious, however, but only a few holes were patched by the system people. After he left to form his own UNIX consulting firm, the person who took over followed a different tack. He co-opted several of the more promising hackers into doing system work, was open and friendly, didn't spend time and resources snooping around (well, hardly any). Now, the most common thing to happen when a user finds a security problem is to \report/ it to him or one of the co-opted hackers. The bug gets fixed, and we all live happily ever after. Of course, there are still people bent on destructive hole searching and abusing, but persons of essentialy good nature who stumble on or search holes out are much more likely to help them get fixed. Moral? Treat your users like friends, not enemies. Ken ----------------------------------------------------------------- gopher://quux.org/ conversion by John Goerzen of http://communication.ucsd.edu/A-News/ This Usenet Oldnews Archive article may be copied and distributed freely, provided: 1. There is no money collected for the text(s) of the articles. 2. The following notice remains appended to each copy: The Usenet Oldnews Archive: Compilation Copyright (C) 1981, 1996 Bruce Jones, Henry Spencer, David Wiseman.