Re: nobody stuff

Ryan Shelswell (Ryan.Shelswell@nospam.uts.edu.au)
Thu, 30 May 1996 13:45:23 +1000 (EAST)

>Generally I regard Ryan as a rational individual.

Why thank you.

> It appears that his
>rationality collapses when he feels that he isn't being fed all
>of the facts.

Ok, let's check out the "collapse of rationality" that I'm laboring under.

I complained that you are not running ProgSoc as a programmers' society at
a university, in that I would expect you would keep members advised of your
motivations and justifications for how the computer systems are set up.

If this was "Comp Soc" running a computer, I would expect that members need
not be told in great detail how or why a particular problem arose or was
fixed on the machines, however it's not. It's a society for people who
like to muck around with computers. And as such, I would expect that if
members want to know why you're doing something, and how it fixes it, and
what was the problem before, that you would tell them.

Apparently not.

Apparently, you feel that you have a greater responsibility, that of
protecting the world's computer systems from the evil members of progsoc
who are just waiting to snatch up your precious little bits of knowledge to
go and break into systems everywhere.

Apparently, you just cannot afford to tell the membership what's wrong, if
there have been real problems, what the problems are, and how or if your
"fix" really fixes them... all a bit silly, considering the information is
available on the net anyway.

Readers can go through the blow-by-blow (below), or skip to the summary at
the end, or just give up and do something more interesting.

>> I think the problem we're having here is that you're saying "Hi! We're a
>> programming society dedicated to learning and dissemination of programming
>> knowledge. By the way, we just fixed something to make our web server more
>> secure, but we're not going to tell you why or how because then you might
>> learn something. Have a nice day."
>
>You are entitled to your incorrect opinion. I support the facilitating
>of learning. I do not support the dissemination of information about techniques
>for comprimising security measures.

What you do or do not personally support doesn't matter a spitwad to me.
You have a job to do as part of the executive of a University society.

Besides which, if people who are actually involved with important computer
security issues felt as you do, you wouldn't have found out either. And
then where would you be?

>Oops - Ryan appears to have "accidentally" responded to private email
>in a public place. He has since apologised. Perhaps it really was an accident.

Yes, I accidentally posted it... re-reading it, I still can't believe that
you actually sent mail just to _me_ worded like that.

>> I think it's more that people don't like the ex cathedra decisions which
>
>I don't understand the term, but I assume that you are referring to
>decisions made without member consultation and on which the
>executive wishes to remain silent. Yep, we appear to have handled this badly.
>Sorry. We'll try to do it better next time.

Alright! Now you're getting the idea!

>> Don't you think that anyone who would go do it from here could have done
>> the same from the hints before?
>
>No.

Ah, so you must be worried about the computer cracking teams that
desperately want to break into ftoomsh and other machines... that don't
know how to use "NetSearch"!

>> Wasn't ProgSoc started so people could share Unix hacking tips?
>
>In the sense of telling people how to compromise security measures?

Tell me, can you read a whole paragraph without responding?

>NO. ABSOLUTELY NOT.

Didn't think so.

See? Doesn't make so much sense when you start cutting the lines out of
context, right?

Tell you what, you reply without cutting my context and I will too, ok?

>ProgSoc was initially conceived (in the minds of Chris Keane and myself) to
>further UNIX hacking - in a sense that did not encompass cracking.

...but may have had something to do with, say, systems administration and
security.

>> You're not running a corporate network here. Know what I mean?
>
>I understand the words - but not your implication.
>
>If you are suggesting that we can therefore be lax on threats to our
>security (and by implication threats posed by ProgSoc to that of other
>organisations) then I simply don't agree with you.

Nope. I was saying (and let me say it once again) that you need to keep
your membership informed, especially if they ask for details. Your
membership is more technically inclined than you seem to be aware.

You know, for people who've had a big security hole on their network that
has been publically signalled on the 'net for at least seven months,
the "professionals" attitude doesn't go down so cleanly. Why didn't you
just disable cgi's and then say "Oh-oh. Someone has been stuffing around
on ftoomsh. We just realised we can stop this with cgi-wrap. What do you
guys think?" (and then lay out the issues) - instead of all this
overly-formal crap about "compromising security measures" by releasing
information publically available anyway?

>Regrettably, you personally have taken ProgSoc another step down
>the road to a corporate style operation. Anton's post was not
>officially endorsed, vetted or even previewed by the executive. He
>was simply informing the membership of a change. Different, more careful
>wording of the announcement would almost certainly have avoided the need
>for this entire exchange.

I thought Anton's post was fine. It's _your_ posts I take issue with.
In fact, Anton (and some others) gave me the info I was after privately,
which I think was completely appropriate.

>next time
>the executive needs to deal with something controversial, we'll have to
>stop and consider the selling of the idea, as well as simply considering
>technical ramifications.

Well I suggest you also stop and consider being open and up-front with the
membership, instead of trying to hide behind obscurity... especially when
it comes to technical ramifications.

>Perhaps those who have suggested that there would be advantage in shrinking
>ProgSoc are right, to some extent.

It's not your bat and ball Raz.

In summary, I think that considering this is a "Programmers' Society", with
a considerable (and vocal :-) percentage of the membership interested in
"technical ramifications", that it would be appropriate to discuss these.
I would be only too happy if you reached the same decision... after some
debate. You may even find that there are alternatives that everyone is
happier with. And while you don't have to reveal the exact names and dates
of security intrusions, but you can certainly reveal "the current
situation" a lot better. You should also be prepared to justify your
actions to the proportion of the membership who are listening and
interested. I agree that many members are uninterested, in which case they
are probably not subscribed and will not be bothered by the debate;
however, many are interested.

I don't think any of this is unreasonable, and has been done previously
when ProgSoc, although not as large as it is now, was still big enough that
people didn't know each other. Thank you for acknowledging the matter
hasn't been handled well. Please respond (to the list), if you feel you
cannot agree with the above requests.

Ryan