scs@itivax.UUCP (Steve C. Simmons) (11/06/88)
In the midst of all the frantic work to eradicate the worm and innoculate ourselves against it in the future, let's not forget a big Thanks to all the folks who moved so incredibly fast on finding it, creating fixes, and distributing them with large chunks of the net going to hell in a handbasket. We're in your debt, folks. Steve Simmons, Systems Support Mgr, ITI (yes, I know most of that's in my .sig. I wanted it here as an official thanks from ITI). -- Steve Simmons ...!umix!itivax!scs Industrial Technology Institute, Ann Arbor, MI. "You can't get here from here."
dewey@execu.UUCP (Dewey Henize) (11/06/88)
In article <361@itivax.UUCP> scs@itivax.UUCP (Steve C. Simmons) writes: > >In the midst of all the frantic work to eradicate the worm and >innoculate ourselves against it in the future, let's not forget >a big Thanks to all the folks who moved so incredibly fast on >finding it, creating fixes, and distributing them with large >chunks of the net going to hell in a handbasket. We're in your >debt, folks. > >Steve Simmons, Systems Support Mgr, ITI I'd like to add my thanks as well. Although a UUCP site, we didn't have any idea that that was a plus in safety. We DID know though that some really good people were working on the problem and getting timely patches and procedures distributed that our small organisation would have been completely unable to produce ourselves. Because of these people not only finding out what was going on but also informing us, we didn't have to draw back into a turtle shell and depend on poor newscasts and (shudder) the local imitation of a newspaper. Many thanks and lots of appreciation. On the next area of consideration, who's gonna get hold of the bastard that caused this and beat the shit out of him? Having a daddy that's a supposedly high security muckety-much should, if anything, imply that the [censored] should know a lot better... And its not like the law is gonna do much, the isn't even a clear picture of what laws are broken by ruining the days of hundreds or thousands of people.. What the hell, someone had to say that part. If you disagree, don't let that stop you from thanking the GOOD folks. Dewey Henize -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- | There is nothing in the above message that can't be explained by sunspots. | | execu!dewey Dewey Henize | | Can you say standard disclaimer? I knew you could. Somehow... |
jfh@rpp386.Dallas.TX.US (John F. Haugh II) (11/07/88)
In article <367@execu.UUCP> dewey@execu.UUCP (Dewey Henize) writes: >I'd like to add my thanks as well. Although a UUCP site, we didn't have any >idea that that was a plus in safety. Here, here. I wish to applaud Rick Adams for sending out messages to myself and Allen Gwinn down here in Dallas letting us know something was afoot. -- John F. Haugh II +----Make believe quote of the week---- VoiceNet: (214) 250-3311 Data: -6272 | Nancy Reagan on Richard Stallman: InterNet: jfh@rpp386.Dallas.TX.US | "Just say `Gno'" UucpNet : <backbone>!killer!rpp386!jfh +--------------------------------------
pengo@tmpmbx.UUCP (Hans H. Huebner) (11/07/88)
In article <367@execu.UUCP> dewey@execu.UUCP (Dewey Henize) writes: >On the next area of consideration, who's gonna get hold of the bastard >that caused this and beat the shit out of him? Having a daddy that's a >supposedly high security muckety-much should, if anything, imply that the >[censored] should know a lot better... And its not like the law is gonna >do much, the isn't even a clear picture of what laws are broken by ruining >the days of hundreds or thousands of people.. Maybe you should better thank this guy as well, since he revealed some nasty bugs in widespread operating systems. He SURELY showed everyone that computer systems are not secure, and that security IS a thing one has to be aware of. Just imagine what would have happened if the worm/virus had contained some nasty code to destroy files or the like. The sendmail bug certainly gave the worm access rights to destroy mail and eventually other vital system information. I'd be careful in generally judging hackers as bad guys. Better think about the possibilties bugs can give to your favoured opponent. Every hour spent in the last week to get rid of the worm is a good investment in the security of future software products. Let's be happy that it is over, and that the Internet is now more secure. Hans -- Hans H. Huebner, netmbx | PSIMail: PSI%026245300043100::PENGO Woerther Str. 36 | DOMAIN: pengo@tmpmbx.UUCP D-1000 Berlin 20, W.Germany | Bang: ..!{pyramid,unido}!tmpmbx!pengo Phone: (+49 30) 332 40 15 | BITNET: huebner@db0tui6
pda@stiatl.UUCP (Paul Anderson) (11/08/88)
In article <367@execu.UUCP> dewey@execu.UUCP (Dewey Henize) writes: >In article <361@itivax.UUCP> scs@itivax.UUCP (Steve C. Simmons) writes: >> >>...a big Thanks to all the folks... We're in your debt, folks. >>Steve Simmons, Systems Support Mgr, ITI > >On the next area of consideration, who's gonna get hold of the bastard >that caused this and beat the shit out of him? > Dewey Heinze Yes, my thanks too. But I disagree with trashing the kid. He did nothing more than walk in the front door of you house and let all the hot air out. The worm did nothing except scare the shit out of a lot of people. What if it had done something *BAD*? I know, we don't know yet... But it could have shut the country down! We should panic, yes! And get our security up to snuff. "Would the Russians have been so nice?" I betcha they knew how to do this one for a while. So while you are all panicing over a *NULL* statement, give some thought to what would have really happened if there had been some venom to the bite. I for one, would probably hire the kid. He shows innovation and I don't see much of that anymore. paul -- Paul Anderson gatech!stiatl!pda (404) 841-4000 X isn't just an adventure, X is a way of life...
john@stiatl.UUCP (John DeArmond) (11/08/88)
In article <1252@stiatl.UUCP> pda@stiatl.UUCP (Paul Anderson) writes: >In article <367@execu.UUCP> dewey@execu.UUCP (Dewey Henize) writes: >>In article <361@itivax.UUCP> scs@itivax.UUCP (Steve C. Simmons) writes: >>> >>>...a big Thanks to all the folks... We're in your debt, folks. >>>Steve Simmons, Systems Support Mgr, ITI >> >>On the next area of consideration, who's gonna get hold of the bastard >>that caused this and beat the shit out of him? >> Dewey Heinze > >Yes, my thanks too. But I disagree with trashing the kid. He did nothing >more than walk in the front door of you house and let all the hot air out. > >The worm did nothing except scare the shit out of a lot of >people. >Paul Anderson I'd like to echo Paul's sentiment. This kid probably did the network one of the biggest favors possible - it opened our eyes - maybe. I'm fairly new to Unix, having worked with it for about 2 years now (That's rite, boys and girls, i went to school BU [before unix]) so my opinions are a mix of relative neophyte and experienced administrator. One of the things that has marveled me is the incredibly poor documentation for unix. Another is the almost incredible tolerance for known bugs and problems. After all, it's hacker-macho to be able to come up with the cleverest workaround to a problem. Judging from the postings I've seen the last few days, the openings he exploited have been known for quite some time. One posting I saw was a repost of a discussion over 2 YEARS OLD! In other words, we've known these holes were there and, for the most part, ignored them. I can understand a commercial, object-only site like ours being slow in fixing such problems within binaries but there is little excuse for the source licensees to have been bitten. I don't want to sound negative and I don't want to offend anybody but these things need to be said. Yeah, sure, you lost some sleep and it was a pain in the ass, and the network was down for a day and so on.. but look at the up side of the issue. AT THE LEAST, the following happened: 1. An blantant hole was exposed for all to see. 2. Rapid response procedures were given a good workout. 3. Disaster control procedures were exercized. 4. Much beneficial discussion has taken place and will take place regarding this issue. 5. Hopefully some new attitudes about reasonable security willbe formed. 6. Maybe some needed changes to both Unix and the internet will be implemented. 7. The awareness among the user body concerning security will be heightened. Probably the WORST thing that could happen is for the government to make a knee jerk reaction, heavily restricting the Internet, and then assume that peace, harmony and security have been re-established. Lets hope with all our might this does not happen. As far as the kid goes, I think the appropriate response should be to punish him a bit, not for the worm itself, but for taking the chance he did with a bug causing REAL damage. Perhaps a year suspension from school while working in the community. Then we ought to give the kid a medal! After all, he's done in a couple of days what years of preaching by high- powered consultants and officials have not been able to do - spotlight reasonable security. THEN we all ought to get down on our knees and thank our stars that the kid was not bent on destruction.
dewey@execu.UUCP (Dewey Henize) (11/08/88)
In article <1294@tmpmbx.UUCP> pengo@tmpmbx.UUCP (Hans H. Huebner) writes: >In article <367@execu.UUCP> dewey@execu.UUCP (Dewey Henize[me]) writes: >>On the next area of consideration, who's gonna get hold of the bastard >>that caused this and beat the shit out of him? Having a daddy that's a >>supposedly high security muckety-much should, if anything, imply that the >>[censored] should know a lot better... And its not like the law is gonna >>do much, the isn't even a clear picture of what laws are broken by ruining >>the days of hundreds or thousands of people.. >Maybe you should better thank this guy as well, since he revealed some >nasty bugs in widespread operating systems. He SURELY showed everyone that >computer systems are not secure, and that security IS a thing one has to be >aware of. Just imagine what would have happened if the worm/virus had >contained some nasty code to destroy files or the like. The sendmail bug >certainly gave the worm access rights to destroy mail and eventually other >vital system information. >[...] > >Let's be happy that it is over, and that the Internet is now more secure. > > Hans > >-- >Hans H. Huebner, netmbx | PSIMail: PSI%026245300043100::PENGO Hans, you're a much nicer guy than I am. I learned a long time ago that to be secure, you close your system off from the outside world, otherwise you cannot be really secure. Sorry, this didn't really do much in anything like a nice way. Yes, there are holes - and I'll bet you that while these get patched pretty darned quickly, there will be more and more as time goes on. So? Does that mean to you the best way to aid security is to waste thousands of hours of other people? I doubt you mean that. Think this through. If this clown had really been even remotely inclined to do anything resembling help people, there are literally hundreds of other scenarios that he could have chosen. I know that if someone really wants to, they can go into the parking area here and slash a few hundred tires. We don't have 24 hour a day security, because most responsible people know better, and a large part of what's left are also aware that doing it and getting caught will do bad things to their personal wealth, freedom, and possibly health. Yes, a few people in the world do that kind of thing - we call them criminals or outlaws, not 'hackers'. I still feel that this kind of person, whether they do it with programs or do it with other impliments, is maliciously damaging other people's property. And that it is WRONG for it to be blown off with 'Well, gee, now we know about that'. If we are lucky, Morris will be sued to the point that his personal fortune will be totally taken from him and he will be blackballed from anything even resembling a responsible job for the rest of his life. And also we can hope that this punishment will be widely publicizes such that the very large number of people that think this kind of thing is a fun thing to try will have major second thoughts. This won't stop it, no, I recognise that. It WILL cut it down a lot, though, and will give the people who do try to limit this kind of damage a fighting chance. This thing wasn't a one-night, 'gee, wonder if this would work' episode - it simply wasn't spur of the moment or impulsive. It was a deliberate attempt to cause great disruption, MAYBE more than he intended but definately an attempt to misuse the implied trust of a widely cooperating community. He basically showed that he's not interested in being a part of that community as far as his responsibility to it is concerned - the only part he wants is the support to him. Followups to alt.flame, please. Dewey Henize -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- | There is nothing in the above message that can't be explained by sunspots. | | execu!dewey Dewey Henize | | Can you say standard disclaimer? I knew you could. Somehow... |
bowen@cs.Buffalo.EDU (Devon E Bowen) (11/08/88)
In article <1294@tmpmbx.UUCP> pengo@tmpmbx.UUCP (Hans H. Huebner) writes: >Maybe you should better thank this guy as well, since he revealed some >nasty bugs in widespread operating systems. He SURELY showed everyone that >computer systems are not secure, and that security IS a thing one has to be >aware of. People keep saying this. Fact is, I already knew that computer systems are not secure. I knew that the Internet is not secure. I knew that sendmail is one of the most insecure mailers around. And I sure hope no one out there thought differently even before the worm. He didn't teach me a whole lot. He just wasted my time. And I'm not going to thank someone for wasting my time. Devon Bowen (KA2NRC) FAX: (716) 636-3464 University at Buffalo BITNET: bowen@sunybcs.BITNET Internet: bowen@cs.Buffalo.EDU UUCP: ...!{ames,boulder,decvax,rutgers}!sunybcs!bowen
per@kps.UUCP (Per Ejeklint /EFS) (11/08/88)
> >I'd be careful in generally judging hackers as bad guys. Better think about >the possibilties bugs can give to your favoured opponent. Every hour spent >in the last week to get rid of the worm is a good investment in the security >of future software products. > >Let's be happy that it is over, and that the Internet is now more secure. > > Hans > I agree with You Hans. Curiosity is a curse that often blinds people. Our little hacking brat was pushed by his own curiosity beyound the limit of common sense. A grown up person with some experience of life should make the desicion that the "test" would cause to much trouble to other people. And if he had found out a weakness that can be used by guys 'up to no good', he would just post his results to various channels and in that way open the eyes of the others. But the most effective way to focus on fatal bugs like this one is probably to do what he did. Still, I doubt that his purpose was that "good". I think he was curious, just curious. Maybe we should arrange "Do-something-evil-contests" where hacking brats could compete in destroying things (given a stand-alone computer), and then use the results as a feedback to sysadmins (and security daddies). I'm sure that our little star of this month (You know who) has some interesting things to say, so if You read this, send me a mail! Per Ejeklint Stockholm, Sweden
numccann@ndsuvax.UUCP (Lester I. McCann) (11/09/88)
In article <270@eda.com> jim@eda.com (Jim Budler) writes: > >For now I feel these two security lists are to be *actively* encouraged >perhaps now they can actually be funded. It sounds like they are going >to be set up as a cooperating duo, one open, but carrying details only >on how to close holes, with an attempt to not convey information to >aid breaking. The other is the problem. With my corporate charter, I >need the more detailed, but the qualification *has* to be tighter. > >uucp: {decwrl,uunet}!eda!jim Jim Budler >internet: jim@eda.com EDA Systems, Inc. I think it would be a mistake to selectively censor security information. It gives me the feeling that a certain priviledged few will get to say that the rest of us can't handle the knowledge. In this situation one can make a case that such caution is warranted, but I fear that this setup may encourage even more stalling on security modifications. I can envision some system administrators becoming overconfident because they believe no one but other sysadmins know where the bugs are. And if no one else knows, why spend the time and money to fix the problems? I'm not saying that any of this will actually happen. But, I do think that if everyone knows about the problems and if they are discussed openly, we'll all be more knowledgable about the risks, we'll be better able to deal with possible future troubles, and we'll be better able to prevent a repeat performance. Lester McCann numccann@plains.nodak.edu numccann@ndsuvax.bitnet
cl@datlog.co.uk (Charles Lambert) (11/09/88)
In article <367@execu.UUCP> dewey@execu.UUCP (Dewey Henize) writes: > >On the next area of consideration, who's gonna get hold of the bastard >that caused this and beat the shit out of him? Well, I'm not sure I go along with that. No actual harm done besides the results of our own panic. In the end, a benign worm revealed a nasty hole in the security. Now, about that panic: who's gonna put together a cogent, readable press release to counter all the sensational tripe that the media have been inventing, in their benighted ignorance? Something that conveys the idea that we're not a mob of moon-eyed boffins at the mercy of our machines. Charlie
jmc@ptsfa.PacBell.COM (Jerry Carlin) (11/09/88)
In article <2517@cs.Buffalo.EDU> bowen@sunybcs.UUCP (Devon E Bowen) writes: >... I knew that sendmail is >one of the most insecure mailers around. And I sure hope no one out there >thought differently even before the worm. He didn't teach me a whole lot. He >just wasted my time... Being mostly a V-oid, I did not know sendmail was holey. Anyone who did and did not contribute to getting it fixed is at least as guilty as the perpetrator. There is a legal concept of an 'attractive nuisance' typically applied to kids getting drowned because there was not a good fence in front of the swimming pool. It applies here. I'm getting really tired of 'we' (the in crowd) knew there was a problem so we did not feel we had to do anything. The rest of us did not know the problem existed. The arguement that 'why should we fix anything because there will be some holes in the future' is equivalent to 'why should we have medicine because there will always be disease'. It does not wash. -- Jerry Carlin (415) 823-2441 {bellcore,sun,ames,pyramid}!pacbell!jmc To dream the impossible dream. To fight the unbeatable foe.
netnews@pikes.Colorado.EDU (Robert Sklar) (11/09/88)
In article <1294@tmpmbx.UUCP> pengo@tmpmbx.UUCP (Hans H. Huebner) writes: >In article <367@execu.UUCP> dewey@execu.UUCP (Dewey Henize) writes: >I'd be careful in generally judging hackers as bad guys. Better think about >the possibilties bugs can give to your favoured opponent. Every hour spent >in the last week to get rid of the worm is a good investment in the security >of future software products. > >Hans H. Huebner, netmbx | PSIMail: PSI%026245300043100::PENGO Here Here!! Not only is the net much more secure now, but this should teach us all a lesson and point out the potential for something much worse from happening in the future. This makes a message loud and clear as it cought alot of people with their pant's down. With the speed of the Internet now our vulnerability really stands out. Also a Big Thanks to the people at Berkeley who worked for 36 straight hours on fixing and releasing the patches to help make the Internet safe once again. AND GET YOUR DEFINITION OF HACKER RIGHT!! (A pet peeve of mine) :-) -- Robert M. Sklar - News Administrator @ CU-Denver UUCP: {whatever}!boulder!pikes!netnews CSN: netnews@pikes.Colorado.EDU BITNET: netnews@cudenver.BITNET ***** Ignore These Four Words *****
dtynan@sultra.UUCP (Der Tynan) (11/09/88)
In answer to all these people who've said we should thank the guy for putting
the worm in the system, which scared the living daylights out of a *lot* of
system administrators this weekend, I have the following comments;
First, a topical joke;
Q: What's worse than finding a 'worm' in your 'Apple'?
A#1: Finding *half* a worm (think about it).
A#2: Knowing that the author will get away with a mere 'slap on the wrist'.
Consider the following fictional analogy;
"TCPVILLE, IP -- An armed gunman opened fire on the customers in a local fast
food franchise, this morning. The gunman, armed with an Ouzi, and several
handguns began shooting at random, aiming above the heads of the terrified
customers. Luckily, no-one was hurt, but local authorities say the damages
may exceed $1M, not including any lawsuits on behalf of the victims. Several
parked cars were destroyed, along with some fast food equipment, and most of
the plate-glass in the restaurant. A spokesman for the fast food chain issued
a public 'thank you' to the gunman, for exposing serious weaknesses in the
chains security policy. Furthermore, the spokesman announced stricter security
regulations, including 'strip searches' for future patrons, and armed guards
at every entrance."
Get the point? What's more, my worst nightmare has come true. Last night,
a TV anchor referred to Morris as a 'Computer Mastermind'. Really? What
would they have called him if his program had actually worked. Most networks
in this country, including the banking networks, are not totally impervious
to such attacks. The 'failsafe' security is that this kind of CRIME is a
federal offence. This is what keeps most 'crackers' away from this kind of
thing. Sure, he exposed some serious weaknesses in the overall security, but
it would have been a *lot* better if he had just mailed his findings to the
appropriate people. What he did will have serious long-term repercussions.
In an ideal environment, we might just take his findings, and make the system
secure, but in reality, a lot of not-so-computer-literate managers are going
to review their INTERNET (and USENET) policies. My wife and I have a bet
going; she says that Morris will get a high-paying job in some network
company. I say his resume ain't worth beans. If he *does* get 'the ultimate
job', want to guess how many *more* attacks there'll be in the coming years?
- Der
--
dtynan@Tynan.COM (Dermot Tynan @ Tynan Computers)
{apple,mips,pyramid,uunet}!zorba.Tynan.COM!dtynan
--- God invented alcohol to keep the Irish from taking over the planet ---rcj@moss.ATT.COM (11/09/88)
In article <368@execu.UUCP> dewey@execu.UUCP (Dewey Henize) writes: }Followups to alt.flame, please. Even if we got the alt groups, I couldn't allow you to make such inflammatory comments in these newsgroups and then skulk off to alt.flame -- you're the one advocating that Bob Morris "face the music"; right now it's your turn! ;-) }Hans, you're a much nicer guy than I am. I learned a long time ago that to }be secure, you close your system off from the outside world, otherwise you }cannot be really secure. Sorry, this didn't really do much in anything like }a nice way. No, you can't be *really* secure. But you can have a relatively secure system without HUGE GAPING holes like the one Bob Morris exploited. }Yes, there are holes - and I'll bet you that while these get patched pretty }darned quickly, there will be more and more as time goes on. So? Does that And why are these holes being patched so quickly? Why weren't they patched before now? Because no one had exploited them *that we know of*, and we were just damned lucky that the first person who did so wasn't malicious. }Think this through. If this clown had really been even remotely inclined to }do anything resembling help people, there are literally hundreds of other }scenarios that he could have chosen. Like what? Name one. You cannot in good conscience expose a major security hole unless you reasonably sure that whoever you tell about it is not only trustworthy, but can be counted on to disseminate the information quickly and reliably to *all* systems that have the hole. If you can look in your Official Internet Directory and give me the number of the Computer Security Agency for All of the Internet then I'll acquiesce. }I know that if someone really wants to, they can go into the parking area here }and slash a few hundred tires. We don't have 24 hour a day security, because }most responsible people know better, and a large part of what's left are also }aware that doing it and getting caught will do bad things to their personal }wealth, freedom, and possibly health. Yes, a few people in the world do that }kind of thing - we call them criminals or outlaws, not 'hackers'. I still Another horribly inaccurate analogy. Let's see if we can rectify that. Let's say everyone has one of those 5-button combination locks on their car doors -- the kind that Ford and others had on luxury cars where you could punch in a 5-number combination to unlock the driver's door, then follow that with another digit to pop the trunk. Now let's say someone comes into your unguarded parking lot full of LOCKED cars, opens everyone's trunk, jacks up each car, takes off each car's rear tires and locks the tires and lug nuts back in the trunk. You all come out and see this and are appalled and outraged. Other owners of the same type of cars are frightened -- how did this person do it? You discover that the maker of the cars, in its infinite carelessness/stupidity, has assigned the same combination to ALL of the cars! Now, each car owner has to unlock the trunk, drag out the tires and lug nuts, and put the tires back on. And each driver goes to a service center at a carmaker X dealership and gets a custom combination. Was time and effort wasted? Yes. Was any damage done? No! Are the cars now completely secure from theft? No. Were many probable future thefts of valuables from locked cars prevented? Yes! It's a bit more complicated than tire-slashing. }If we are lucky, Morris will be sued to the point that his personal fortune }will be totally taken from him and he will be blackballed from anything }even resembling a responsible job for the rest of his life. And also we can }hope that this punishment will be widely publicizes such that the very large }number of people that think this kind of thing is a fun thing to try will }have major second thoughts. I just *love* people who advocate making an example of one particular individual despite the injustice that implies. I hope you get stopped for speeding someday and they decide to give you 5 years in prison so "the very large number of people that think this kind of thing is a fun thing to try will have major second thoughts."
bowen@cs.Buffalo.EDU (Devon E Bowen) (11/09/88)
In article <4578@ptsfa.PacBell.COM> jmc@ptsfa.PacBell.COM (Jerry Carlin) writes: >Being mostly a V-oid, I did not know sendmail was holey. Anyone who did >and did not contribute to getting it fixed is at least as guilty >as the perpetrator. > >I'm getting really tired of 'we' (the in crowd) knew there was a problem >so we did not feel we had to do anything. The rest of us did not know the >problem existed. Never let it be said that I don't do my part... I'm writing this as a public notice that the sendmail daemon is still a security hole. If you feel strongly about this, please shut off your sendmail daemon. I prefer to run mine so that I can continue to receive mail via the Internet. >The arguement that 'why should we fix anything because there will be some >holes in the future' is equivalent to 'why should we have medicine because >there will always be disease'. It does not wash. That's not the argument I make. My argument is that I'd rather spend my time making advancements in the field of computer science than patching security holes. I think you'll agree that what I do with my time and efforts is my business. I don't think that one of these scares every couple of years is worth the bother. Sure, if it had been a virus and had wiped out my disks, it would have been a pain and I would have had to restore from tape dumps. But being paranoid takes a lot of time, too. And I don't think it's worth it. If you want every ounce of security you can get, you should be running VMS. I'll stick with BSD, though. Devon Bowen (KA2NRC) FAX: (716) 636-3464 University at Buffalo BITNET: bowen@sunybcs.BITNET Internet: bowen@cs.Buffalo.EDU UUCP: ...!{ames,boulder,decvax,rutgers}!sunybcs!bowen
henry@utzoo.uucp (Henry Spencer) (11/11/88)
In article <2548@cs.Buffalo.EDU> bowen@sunybcs.UUCP (Devon E Bowen) writes: >I'm writing this as a public notice that the sendmail daemon is still a >security hole. If you feel strongly about this, please shut off your sendmail >daemon. I prefer to run mine so that I can continue to receive mail via the >Internet. The latter does not imply the former. There is at least one implementation of SMTP that does not require sendmail. It was, I believe, posted to comp.sources.misc a little while ago. It definitely works; although it may be a bit crude, it's in production on several sites. The amount of effort that has gone into maintaining sendmail, over the net as a whole, could have written half a dozen high-quality implementations of SMTP by now. It continues to amaze me that people claim there is no alternative to sendmail. -- Sendmail is a bug, | Henry Spencer at U of Toronto Zoology not a feature. | uunet!attcan!utzoo!henry henry@zoo.toronto.edu