weemba@garnet.berkeley.edu (Obnoxious Math Grad Student) (11/08/88)
In article <2517@cs.Buffalo.EDU>, bowen@cs (Devon E Bowen) writes: >People keep saying this. Fact is, I already knew that computer systems are >not secure. I knew that the Internet is not secure. I knew that sendmail is >one of the most insecure mailers around. And I sure hope no one out there >thought differently even before the worm. He didn't teach me a whole lot. He >just wasted my time. And I'm not going to thank someone for wasting my time. ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ.................................... Nice to know SOMEONE's caught on to the real issue here: learning nothing. ucbvax!garnet!weemba Matthew P Wiener/Brahms Gang/Berkeley CA 94720
amos@taux02.UUCP (Amos Shapir) (11/08/88)
I don't think I have seen anybody mention Sun's contribution to the spread of the worm. It may be ok for a university-grade software to be distributed with a debug option compiled in by default, especially when it's distributed almost free and with its source; but taking the same program, and selling it to unsuspecting customers without any quality check, is certainly negligent. -- Amos Shapir amos@nsc.com National Semiconductor (Israel) P.O.B. 3007, Herzlia 46104, Israel Tel. +972 52 522261 TWX: 33691, fax: +972-52-558322 34 48 E / 32 10 N (My other cpu is a NS32532)
yba@arrow.bellcore.com (Mark Levine) (11/10/88)
[weemba says the whole point of the worm discussion is "learning nothing"] I stand amazed at the high pedestal we make for computers. Gee, did you know that locks can be picked? That the front door of your house can be kicked in? Your car can be stolen? Your bank vault robbed? There is nothing wrong with security, but in the last analysis it always becomes an economic problem, and absolute security is prohibitively expensive. Every time I see a burglary reported in the press I do not expect to replace the glass windows in my house with bullet-proof plastic nor will I run out and replace all the wood with steel and concrete. By the same token I will not begin to divert all my resources from applications to improving the reliability of network services in my operating system. This seems rational, and does not excuse a failure to do maintenance when a serious problem is exposed and a free patch supplied. For rational people, the law is a part of raising the cost of sociopathic behavior like killing and loosing tapeworms onto the network. Where accidental it is still "manslaughter" as opposed to "murder" in that the act did damage, even if not premeditated nor intentional. Making a hero of the guy who breaks into your house and shoots your dog, because it suddenly illuminates the fact that hiring a security patrol might be a good idea, is not something I want you to do. If nothing has been learned, it is certainly in the column under "computers are not different than other spheres of human activity" -- is it not so? We know our systems are imperfect, but also that they are usable. I submit that if an admin wants to bet the 8 hours of restoring bug-infested system from scratch against the years of vetting every piece of software he sees, that is not necessarily a bad choice. If you have much more valuable data you cannot see disrupted, get off internet, or consult your actuarial tables for the bet you can lay. Eleazor bar Shimon, once and future Carolingian yba@sabre.bellcore.com
rob@violet.berkeley.edu (Rob Robertson) (11/12/88)
In article <241@taux02.UUCP> amos@taux02.UUCP (Amos Shapir) writes: >I don't think I have seen anybody mention Sun's contribution to the spread >of the worm. It may be ok for a university-grade software to be distributed >with a debug option compiled in by default, especially when it's distributed >almost free and with its source; but taking the same program, and selling >it to unsuspecting customers without any quality check, is certainly >negligent. That combined with the notion that you think your buying a fairly secure product in SunOS 4.0 with "Secure RPC" and that someone from Sun announced on the network that he had known about the sendmail hole for several years, makes for a great case of negligence. Hey, if all those wasted man/staff hours have got you down here is an all-American way to recoup it. rob "In Japan the ratio of lawyers to engineers is 1 : 10. In the US it's 10 : 1."