The Best of Creative Computing Volume 1 (published 1976)
Is Breaking Into A Timesharing System a Crime? (Cracking, security)
Is Breaking Into A Timesharing System A Crime?
Is it a crime to practise the art of attempting
to defeat the software security of a time-sharing
computer? There are several cases that we should
consider here: in the first case the user is solely
concerned with demonstrating that the software is
not secure and once he has done this he delights in
revealing the circumstances to his computer centre
(and probably suggests what they should do to
avoid such breaches of security in the future.)
Secondly a user may simply abandon all interest as
soon as he has achieved his object but fails to tell
anyone and fails to keep secure the knowledge that
he has gained. In the third case we consider a user
who deliberately breaks the security of a system so
that he can vandalise data belonging to other users
and finally we must consider the case of the user
who gains illegal access to data for personal gain.
In an educational environment we must consider
these cases in the same way that we might
consider the case of a boy who attempts to defeat
the combination lock on someone else's bicycle.
Any boy who behaves like this is certainly foolish
for his motives are almost certain to be misunderstood
by anyone in authority who catches him.
But we must not make crimes where none exist for
in all probability the motivation is the intellectual
challenge not the thought of subsequent gain. How
then ought we to advise our students on this issue?
It seems to me that we should not attempt to
dissuade our students from practising this art, for
we shall not succeed in stopping all cases only
those that are least harmful to the system. The
student in the first category might well be of
benefit to users generally (although the computer
centre may not think so for undoubtedly he makes
more work for them). The student who commits
acts of vandalism on the other hand is a public
nuisance and will probably be recognised as such
by his colleagues who simply want to use the
system. Admittedly any kind of vandalism can
sometimes be classified as a ”joke". But here the
general rule that, once is folly, twice is a nuisance
and three times is wicked, holds good.
It is going to be counterproductive to take
these so-called jokes too seriously since in all
probability scolding will simply make it seem more
funny. Breaking the security of the system for
material gain in practice is unlikely to happen for it
is difficult to see what a student could hope to gain
by it. Although theoretically a teacher might leave
a confidential examination question on the system,
in practice he would be very unlikely and some
what foolish to do so. There can be very little to be
gained from illegal access to the system since legal
access must and should be so easy so that although
any lack of security in an educational time-sharing
system must worry people, there is probably little
likelihood of any great harm being done provided
we keep a sense of proportion.
Of course, it should be impossible for any
student to succeed in breaching the security barrier
and as time passes we shall probably find that it is
virtually impossible to succeed. Is attempting to
defeat the manufacturers security software a waste
of computing resources? That is another matter
entirely and one perhaps we could discuss on a
future occasion. Has anyone any views?
In Hatfield, the Computer Centre at the
Polytechnic is well aware of these problems and,
like many educational services, is short of resources
to cope with them. Maybe they should be protected
from the onslaught of students who always
seem to have a desire to take things to pieces to see
how they work. We talk about teaching the social
implications of computers and perhaps lesson time
spent on this issue and related topics might help to
give students a better appreciation of all the
problems.
W. Tagg
Reprinted with permission from Advisory Unit for Computer Based
Education Bulletin, Hatfield, Hertfordshire, England.
Dear Editor:
As the former Systems Programmer for the Long Island
Regional lnstnictional Computer Services (LIRICS) I am
well aware of the problem of students compromising
software security. (Editorial, Jan-Feb 1975) At LIRICS we
had to deal with all three types of security breachers
described by Mr. Tagg in over 60 school districts.
Students who discovered ways to breach system
security and reported it to me without using it were
thanked. Such students saved many man-hours of blind
searching which would haye been required had a malicious
user discovered the problem.
Students that discovered but did not use or report
problems were ignored since we could not track them down
anyway.
Students who used holes in the software security to
disrupt our operation in any manner were attacked from
two directions. Management attacked with a seek and
destroy type inquiry while software people attacked with
rigged controls and monitoring.
We believe our method of dealing with these students
was successful. I would suggest that educational institutions
encourage experimentation but attack malicious students
with a determined and sneaky software specialist.
Harold R. Berenson
Syosset, New York
"The computer is incredibly fast, accurate, and stupid. Man is unbelievably
slow, inaccurate, and brilliant. The marriage of the two is a force beyond
calculation."
Leo Cherne
