From: Steve Bellovin <smb@research.att.com>
To: Vin McLellan <vin@shore.net>
Message Hash: c3c5fb0f03b25a23a6a1ef77f229bbe8127c650318be28733c4684bdbaaba351
Message ID: <199810262226.RAA12688@postal.research.att.com>
Reply To: N/A
UTC Datetime: 1998-10-26 23:04:33 UTC
Raw Date: Tue, 27 Oct 1998 07:04:33 +0800
From: Steve Bellovin <smb@research.att.com>
Date: Tue, 27 Oct 1998 07:04:33 +0800
To: Vin McLellan <vin@shore.net>
Subject: log files (was: Re: dbts: Cryptographic Dog Stocks, The Dirigible Biplane, and Sending the Wizards Back to Menlo Park )
Message-ID: <199810262226.RAA12688@postal.research.att.com>
MIME-Version: 1.0
Content-Type: text/plain
> It strikes me that while Mr. Hettinga and other e$ seers may have
> spent the past decade considering how to allow transactional exchanges to
> escape a human linkage, most professional sysops and network managers have
> been concerned with how to strengthen the linkage between on-line accounts,
> actions, and audit trails -- and the humans to which a user's account has
> been assigned.
Leaving aside the rest of this discussion, Vin touches on a point that
I think has been ignored by some: operations demand log files. That
is -- and I'm doffing my security hat here and donning the hat of someone
who has been running computer systems and networks for 30+ years --
when I'm trying to manage a system and/or troubleshoot a problem,
I *want* log files, as many as I can get and cross-referenced 17 different
ways. This isn't a security issue -- most system administrator headaches are
due to the "benign indifference of the universe", or maybe to Murphy's Law
-- but simply a question of having enough information to trace the
the perturbations caused to the system by any given stimulus.
The more anonymity, and the more privacy cut-outs, the harder this is.
I claim, therefore, that the true cost of running such a system is
inherently *higher*. There may be, as some have claimed, offesetting
operational advantages. But the savings from those advantages need to
be balanced against losses due to hard-to-find bugs, or even bugs that
one isn't aware of because there's insufficient logging. Remember
that double-entry bookkeeping catches all sorts of errors, not just
(or even primarily) embezzlement.
To be sure, one can assert that the philosophical gains -- privacy,
libertarianism, what have you -- are sufficiently important that this
price is worth paying. With all due respect, I will assert that
that debate is off-topic for this list, and is best discussed over
large quantities of ethanol.
Return to October 1998
Return to “Steve Bellovin <smb@research.att.com>”