Jim Knight writes:
>  Actually, it's important for systems managers to know how people can
>attack your system.  I managed to snag a document on hacking the hp3000
>that was floating around on the Internet.  I forwarded this to Isaac,
>in the hopes that it could be useful material for SIGSYSMAN.  I considered
>sending it to this list, but have not done so up to this point.  Security
>through obscurity is certainly nonsense.
 
This kind of thing is not universally welcomed, though it should be. I
used to write a column for Interact, and one of the columns gave fifteen
common ways of attacking an HP3000 system. Securing a system against the
entire fifteen would take about five minutes.
 
For the next six months, I received angry letters from readers and was
accosted by upset system managers at shows. The argument that "if I know
these, then someone else does too" was usually countered with "but
_my_ users wouldn't have known if you hadn't told them." It's useless
discussing the issue with them; they refuse to consider that even if their
users are as ignorant as they think, some of them might have smart friends,
or the attackers might not be legitimate users at all.  ("I don't publish
my modem numbers!") Many of the attacks I described were nothing more than
privileged accounts that tend to be left unsecured because system managers
aren't told about them (does "HELLO ALFREDO.REGO/ANTIGUA" still work?).
None of the attacks would require access to nondisclosure or hard-to-obtain
information such as operating system source code to be discovered.
 
If you find such a security problem -- one that can be discovered without
access to privileged information -- my suggestion is that you always
publicize it, together with whatever can be done to remedy it. Just be
aware that some system mnanagers "have too much to do to go
putting passwords on everything," as one system "manager" put it while
castigating me for my treason.
 
-- Bruce