At 9:42 PM 9/20/95, Brian Davis wrote:

Certainly, Cypherpunks has gotten press lately, and what I've seen has been good press. Capitalize on it.

Finally, I've got to say that, as someone new to the concepts discussed here, I found it extremely cool to read about the latest break here and then see it in the news a day or two later.

Indeed, it gives you a day's head start in preparing a prosecution! (Just kidding, of course. Brian may be a DA, but he's showing signs of being "one of us.") And on a serious note, the cracks of these various systems are helpful to the overall community. Better locks. To pick up on a point Brian made several days ago about whether or not hackers who break into systems should be applauded, criticized, prosecuted, whatever, this is how I see things, in direct parallel with the recent Netscape cracks: * Situation 1: A person who enters my home by bypassing locks cannot claim to be "just testing security" and should be prosecuted for trespass, if nothing else. * Situation 2: However, a person who publically demonstrates that a well-known type of lock is weak and can be easily bypassed is well within his rights and is, I think, doing the community a favor. I mean that he demonstrates this on a lock, or system, and not by breaking into a system. (It may be true that some number of potential thieves use the knowledge that a given lock is weak to commit crimes, but that's not the responsibility of the person demonstrating the weakness.) (Sidebar: There are some subtleties. What about someone who breaks into a computer system and leaves a harmless message announcing his intrusion? What about someone who enters my house while I'm asleep and leaves a message saying "Get better locks!"? What about Randall Schwartz and his security checks of his employer, Intel?) It seems clear to me that the breaking of Netscape's security is an example of Situation 2. And many cracker break-ins are Situation 1, though in many cases the crackers are not full-fledge criminals and may think they are just testing security. (This goes to motive, I'm sure Brian would agree, and may be why a 16-year-old cracker gets a suspended sentence instead of hard time.) (A more problematic case is what about systems with very weak or no security? This is somewhat like a yard with no clearly marked boundary, no fence, etc., or like a beach towell with valuables left on it. We've debated issues like this several times on the Cyberia list, so I won't here.) One thing that worries me is that some of the proposed laws about intellectual property and enforcment of copyrights may make it illegal to try to break the cryptographic protections of systems, even systems one has control over. (Some similarities to the "no reverse engineering" shrink-wrap licenses.) It's conceivable that Netscape Communications could, under these "anti-hacking" laws, seek a prosecution of some future Goldberg and Wagner. My guiding principles about locks and security are these: * Theft is theft, even if a bicycle is left unlocked or a house door is left ajar. * However, the first line of defense is for a property owner to lock his property up, to place fences around property, etc. Cops cannot protect in all situations, which is why security services and tools exist. * Since enforcement resources are limited, I can understand why the investigation of a theft involving unlocked, unsecured property is given low priority. This doesn't make the theft "right," and if the thief is somehow caught he cannot use the "But it was unlocked!" defense. (These problems are lessened in a system where people pay for protection, as with insurance systems, and of course as with anarcho-capitalism of the sort discussed by Benson, Friedman, and others.) --Tim May Notice: With 1000 people on the Cypherpunks list, and many on other lists I am on, nearly every article I write generates at least one question, request for more information, dispute with my choice of words, etc. I have been trying to respond to these, usually privately, but the burden has become too much, and I no longer plan to respond to trivial or ephemeral points. If you don't hear from me, this is why. Some requests for pointers to information will still be handled, but I advise people to learn how to use the archives and/or search tools. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 | black markets, collapse of governments. "National borders are just speed bumps on the information superhighway."