weemba@garnet.berkeley.edu (Obnoxious Math Grad Student) (11/04/88)
I think the purpose of this worm is to scare the shit out of everyone. As in: "This is a test. This is only a test. Had this been an actual virus, you would all (in another two months) be up shit's creek without a paddle, compass, or bowsprit." There's a cluster of machines at the University of ********* that hang if anyone on the ARPANET merely pongs them. The sysadmins and program- mers have been asked to fix it, but their response is that they can't afford to. JHCOAB, they can't afford to NOT fix it. Me? I encourage the wormer to keep testing once a month. ucbvax!garnet!weemba Matthew P Wiener/Brahms Gang/Berkeley CA 94720
rosenblg@acf3.NYU.EDU (Gary J. Rosenblum) (11/09/88)
Do you also belive then that you can point out a bank's security problems by going in and robbing it? Yes, there are quite a few security holes in Unix, and they need to be fixed. But is effectively crippling the work of a great number of people all across the world (mostly US) the best way to point out these problems? Here at NYU the people who were hurt the most were undergrads and grad students doing their assignments and what-have-you. Who was he trying to point out these problems TO? If the vendor/developer of the code was his "target" (for lack of a better word), why did end-users have to suffer? An extraordinarily large number of people had to deal with the problems caused by the worm. The end certainly does not justify the means. I am not one to say 'hang him as a symbol to all those who might try this', in fact I have not made up my mind what *I* would do with him (but that's not my decision, merely my opinion). But there are far less irresponsible ways of pointing out problems than the way he chose. Gary J. Rosenblum UNIX Systems Manager rosenblg@nyu.edu New York University gary@nyu.edu, gary@acf3.nyu.edu
johnl@n3dmc.UU.NET (John Limpert) (11/10/88)
In article <2210004@acf3.NYU.EDU> rosenblg@acf3.NYU.EDU (Gary J. Rosenblum) writes: >Do you also belive then that you can point out a bank's security >problems by going in and robbing it? Yes, there are quite a few >security holes in Unix, and they need to be fixed. But is effectively >crippling the work of a great number of people all across the >world (mostly US) the best way to point out these problems? I'm sorry to say that this may have been the only way of getting the bugs fixed. As a UNIX user and the administrator of several small machines, I am continually frustrated by the indifferent attitude of UNIX vendors, management and average users towards security. UNIX distribution kits are routinely delivered with gaping security holes in file and directory permissions and security bugs that never get fixed. I try to fix the obvious problems, but most vendors and users just yawn when you point out a problem. Management never seems to consider security when purchasing software and systems, they just want something fast, reliable and cheap. Several people asked me about the vulnerability of our systems after the virus was publicized and the local segment of the internet was disconnected and isolated. The virus got their attention. Security costs money, but lack of security may cost more in the long run. I have given up on vendors, they will not do anything if the customer doesn't push the issue. I would like to see the government and major corporations develop and enforce security standards on systems that they purchase. People with source licenses can fix their problems if they are aware of the problem and have the expertise to fix it. Unfortunately, I and many other people have to deal with binary distributions that aren't supported after the vendor introduces a new product line. -- John A. Limpert UUCP: johnl@n3dmc.UUCP, johnl@n3dmc.UU.NET, uunet!n3dmc!johnl
dan@ccnysci.UUCP (Dan Schlitt) (11/15/88)
The discussion in this thread as well as much of the other discussion related to the worm brings to mind a number of articles that have appeared in Computers & Society, the publication of the ACM Special Interest Group on Computers and Society. A paragraph from the Fall 1984 issues has remained in my memory. It is from the testimony of Susan Nycum before a subcommittee of the Senate Committee on Governmental Affairs in October of 1983. [Computers & Society 14(1984)2] Permit me to quote it here for your edification. "Security, whether technical processes, operations procedures or personnel practices, is an overhead factor that usually slows down throughput and efficiency. It is not therefore urged by vendors as a sales promotion technique or necessarily proposed by a user organization's first line managers to higher management. Where effective computer security is in place, it is usually insisted on by top management and made part of the review of performance of those persons responsible for its implementation. One positive result of the media coverage of computer crime has been to alert senior management to the substantial risks to a business organization if it fails to take reasonable precautions to protect itself from computer abuse." As a part of the "first line management" I think we are all aware of the havoc that higher management can wreak on computer communications if they panic over the recent worm. Our only real defense is to try and prove wrong the assertion that we can have good computer security only at the insistence of higher management. -- Dan Schlitt Manager, Science Division Computer Facility dan@ccnysci City College of New York dan@ccnysci.bitnet New York, NY 10031 (212)690-6868