mbt@bridge2.3Com.Com (Brad Turner) (11/15/88)
In article <1777@ndsuvax.UUCP> ncoverby@ndsuvax.UUCP (Glen Overby) writes: > >In article <8597@rpp386.Dallas.TX.US> jfh@rpp386.Dallas.TX.US > (John F. Haugh II) writes: >>It would be so nice if someone would undertake a security audit to >>insure that work other college students did, which *is* currently >>in production, doesn't contain any surprizes. > >This security audit should go for any software posted to the net or >otherwise available (anon uucp, anon FTP, etc), as well as on a per-vendor >basis (who's to say that ABC computer maker didn't botch something in their >port?). > >Glen Overby >ncoverby@plains.nodak.edu uunet!ndsuvax!ncoverby >ncoverby@ndsuvax (Bitnet) (out of context of course and maybe not 100% exact) Frank Burns: I wouldn't be so paranoid if everybody wasn't watching me Let's all put on our paronia pants and do the little "somebody is out to to get me" dance! I'm not suggesting that security should be ignored, or that code should never be looked at after the first successful compile. It's just that I hate to see everybody join a posse/lynch mob because of ONE (not several, ONE) incident. So.... Face it unless you are willing to personally inspect every piece of source for every executable that's on your machine you're potentially compromising the security of your system. It's no good to "audit" the code, because how to you know the auditors can be trusted? Couldn't one dishonest auditor do more harm then than anybody else. Think about it, one central group in charge declaring what is and is not fit. A single point of failure! What it comes down to is the fact that systems these days are far to complicated for a single person to deal with. You have to trust your fellow human being at some point in time, otherwise everybody will be doomed to re-inventing the wheel. Do you personally have the time and expertise to code a boot load PROM? Then go from there to a monitor program to an assembley to a compiler to....vmunix...>rest-of-unix<....ad nausem. Then if you really want to get paranoid, how about the hardware? You're going to have to design your own CPU, mask it yourself, produce it yourself. Don't forget the glue logic, make your own 74xxx chips, resistors, caps etc... Where does it stop???? I give up lets disband society and all go live in woods where only the wildlife can get ya'. While I'm on my soapbox (and guilty)...Is it possible that we (the computing community) have wasted more time discussing/arguing about the worm than we spent discovering/disecting/erradicating/patching? My personal view I that the gossip fence has gotten overcrowded and we need to let the issue die and quit wasting net bandwidth rehashing every different flavor of the same argument/issue. Thanks for your time, have an OK day, and DON'T post a followup. -brad- -- v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v Brad Turner 1330 Ashleybrook Ln. (919) 768-2097 | I speak for myself 3Com Corp. Winston-Salem, NC 27103 mbt@bridge2 | NOT for my employer.