Guilt and Action

After reading The Cuckoo's Egg, I've had to add one more book to the list of books that dredge up feelings of guilt when read.  Oh, the poor, poor systems I've configured.  So open.  So vulnerable.  Of course I had heard of hackers, I knew that they took advantage of vulnerable systems.  "So what?" I thought, "Who would want to take advantage of some purely academic system?  It just handles boring data from experiments."  I was so wrong.  I'd never thought of hackers using my machines as lily pads on their jump across the internet to their real targets.  I want to go back in time and tell myself to be more careful.  But I can't change the past, so on to action and the future.

There are several things that must change:

• No more complacency and universal trust.  While most people are trustworthy there are some sinister snakes seeking to sneak into servers.  The more restricted the server is, the better.  Only valid users should be able to get in. And password and other vital files should be hidden from everyone but the administrators.  
• Assume that people are not going to play nice with software.  Assume that they are going to look for weaknesses.  More security testing needs to be done.   
• Every program needs to be tested for security.  Even a small editing program, like Gnu-Emacs, can be the hole hackers are looking for.  
• Computer accounting needs to be more stressed in the field.  If someone breaks in, how are you going to know about it?  How are you going to know who is on the computer, what is being done, and for how long without computer accounting?

I demand that everyone in the industry care about security!  I know that almost no one will read this, but I demand that all who do think about it!  Every program that is going beyond the classroom should be tested for security.  Buffer overflows, users without permissions, weak passwords, and other security topics need to be thought about before you can think about releasing "working" software.  The software doesn't work until it is secure.