weemba@garnet.berkeley.edu (Obnoxious Math Grad Student) (11/04/88)
I think the purpose of this worm is to scare the shit out of everyone. As in: "This is a test. This is only a test. Had this been an actual virus, you would all (in another two months) be up shit's creek without a paddle, compass, or bowsprit." There's a cluster of machines at the University of ********* that hang if anyone on the ARPANET merely pongs them. The sysadmins and program- mers have been asked to fix it, but their response is that they can't afford to. JHCOAB, they can't afford to NOT fix it. Me? I encourage the wormer to keep testing once a month. ucbvax!garnet!weemba Matthew P Wiener/Brahms Gang/Berkeley CA 94720
rosenblg@acf3.NYU.EDU (Gary J. Rosenblum) (11/09/88)
Do you also belive then that you can point out a bank's security problems by going in and robbing it? Yes, there are quite a few security holes in Unix, and they need to be fixed. But is effectively crippling the work of a great number of people all across the world (mostly US) the best way to point out these problems? Here at NYU the people who were hurt the most were undergrads and grad students doing their assignments and what-have-you. Who was he trying to point out these problems TO? If the vendor/developer of the code was his "target" (for lack of a better word), why did end-users have to suffer? An extraordinarily large number of people had to deal with the problems caused by the worm. The end certainly does not justify the means. I am not one to say 'hang him as a symbol to all those who might try this', in fact I have not made up my mind what *I* would do with him (but that's not my decision, merely my opinion). But there are far less irresponsible ways of pointing out problems than the way he chose. Gary J. Rosenblum UNIX Systems Manager rosenblg@nyu.edu New York University gary@nyu.edu, gary@acf3.nyu.edu
johnl@n3dmc.UU.NET (John Limpert) (11/10/88)
In article <2210004@acf3.NYU.EDU> rosenblg@acf3.NYU.EDU (Gary J. Rosenblum) writes: >Do you also belive then that you can point out a bank's security >problems by going in and robbing it? Yes, there are quite a few >security holes in Unix, and they need to be fixed. But is effectively >crippling the work of a great number of people all across the >world (mostly US) the best way to point out these problems? I'm sorry to say that this may have been the only way of getting the bugs fixed. As a UNIX user and the administrator of several small machines, I am continually frustrated by the indifferent attitude of UNIX vendors, management and average users towards security. UNIX distribution kits are routinely delivered with gaping security holes in file and directory permissions and security bugs that never get fixed. I try to fix the obvious problems, but most vendors and users just yawn when you point out a problem. Management never seems to consider security when purchasing software and systems, they just want something fast, reliable and cheap. Several people asked me about the vulnerability of our systems after the virus was publicized and the local segment of the internet was disconnected and isolated. The virus got their attention. Security costs money, but lack of security may cost more in the long run. I have given up on vendors, they will not do anything if the customer doesn't push the issue. I would like to see the government and major corporations develop and enforce security standards on systems that they purchase. People with source licenses can fix their problems if they are aware of the problem and have the expertise to fix it. Unfortunately, I and many other people have to deal with binary distributions that aren't supported after the vendor introduces a new product line. -- John A. Limpert UUCP: johnl@n3dmc.UUCP, johnl@n3dmc.UU.NET, uunet!n3dmc!johnl
dan@ccnysci.UUCP (Dan Schlitt) (11/15/88)
The discussion in this thread as well as much of the other discussion
related to the worm brings to mind a number of articles that have
appeared in Computers & Society, the publication of the ACM Special
Interest Group on Computers and Society. A paragraph from the Fall
1984 issues has remained in my memory. It is from the testimony of
Susan Nycum before a subcommittee of the Senate Committee on
Governmental Affairs in October of 1983. [Computers & Society
14(1984)2]
Permit me to quote it here for your edification.
"Security, whether technical processes, operations procedures
or personnel practices, is an overhead factor that usually
slows down throughput and efficiency. It is not therefore
urged by vendors as a sales promotion technique or necessarily
proposed by a user organization's first line managers to
higher management. Where effective computer security is in
place, it is usually insisted on by top management and made
part of the review of performance of those persons responsible
for its implementation. One positive result of the media
coverage of computer crime has been to alert senior management
to the substantial risks to a business organization if it
fails to take reasonable precautions to protect itself from
computer abuse."
As a part of the "first line management" I think we are all aware of
the havoc that higher management can wreak on computer communications
if they panic over the recent worm. Our only real defense is to try
and prove wrong the assertion that we can have good computer security
only at the insistence of higher management.
--
Dan Schlitt Manager, Science Division Computer Facility
dan@ccnysci City College of New York
dan@ccnysci.bitnet New York, NY 10031
(212)690-6868