[news.sysadmin] A *Big* Thank You

scs@itivax.UUCP (Steve C. Simmons) (11/06/88)

In the midst of all the frantic work to eradicate the worm and
innoculate ourselves against it in the future, let's not forget
a big Thanks to all the folks who moved so incredibly fast on
finding it, creating fixes, and distributing them with large
chunks of the net going to hell in a handbasket.  We're in your
debt, folks.

Steve Simmons, Systems Support Mgr, ITI
(yes, I know most of that's in my .sig.  I wanted it here as
 an official thanks from ITI).

-- 
Steve Simmons		...!umix!itivax!scs
Industrial Technology Institute, Ann Arbor, MI.
"You can't get here from here."

dewey@execu.UUCP (Dewey Henize) (11/06/88)

In article <361@itivax.UUCP> scs@itivax.UUCP (Steve C. Simmons) writes:
>
>In the midst of all the frantic work to eradicate the worm and
>innoculate ourselves against it in the future, let's not forget
>a big Thanks to all the folks who moved so incredibly fast on
>finding it, creating fixes, and distributing them with large
>chunks of the net going to hell in a handbasket.  We're in your
>debt, folks.
>
>Steve Simmons, Systems Support Mgr, ITI

I'd like to add my thanks as well.  Although a UUCP site, we didn't have any
idea that that was a plus in safety.  We DID know though that some really
good people were working on the problem and getting timely patches and
procedures distributed that our small organisation would have been completely
unable to produce ourselves.  Because of these people not only finding out
what was going on but also informing us, we didn't have to draw back into
a turtle shell and depend on poor newscasts and (shudder) the local 
imitation of a newspaper.  Many thanks and lots of appreciation.

On the next area of consideration, who's gonna get hold of the bastard
that caused this and beat the shit out of him?  Having a daddy that's a 
supposedly high security muckety-much should, if anything, imply that the
[censored] should know a lot better...  And its not like the law is gonna
do much, the isn't even a clear picture of what laws are broken by ruining
the days of hundreds or thousands of people..

What the hell, someone had to say that part.  If you disagree, don't let
that stop you from thanking the GOOD folks.

Dewey Henize
-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
| There is nothing in the above message that can't be explained by sunspots.  |
|                   execu!dewey             Dewey Henize                      |
|         Can you say standard disclaimer?  I knew you could.  Somehow...     |

jfh@rpp386.Dallas.TX.US (John F. Haugh II) (11/07/88)

In article <367@execu.UUCP> dewey@execu.UUCP (Dewey Henize) writes:
>I'd like to add my thanks as well.  Although a UUCP site, we didn't have any
>idea that that was a plus in safety.

Here, here.

I wish to applaud Rick Adams for sending out messages to myself and Allen
Gwinn down here in Dallas letting us know something was afoot.
-- 
John F. Haugh II                        +----Make believe quote of the week----
VoiceNet: (214) 250-3311   Data: -6272  | Nancy Reagan on Richard Stallman:
InterNet: jfh@rpp386.Dallas.TX.US       |          "Just say `Gno'"
UucpNet : <backbone>!killer!rpp386!jfh  +--------------------------------------

pengo@tmpmbx.UUCP (Hans H. Huebner) (11/07/88)

In article <367@execu.UUCP> dewey@execu.UUCP (Dewey Henize) writes:
>On the next area of consideration, who's gonna get hold of the bastard
>that caused this and beat the shit out of him?  Having a daddy that's a 
>supposedly high security muckety-much should, if anything, imply that the
>[censored] should know a lot better...  And its not like the law is gonna
>do much, the isn't even a clear picture of what laws are broken by ruining
>the days of hundreds or thousands of people..
Maybe you should better thank this guy as well, since he revealed some
nasty bugs in widespread operating systems.  He SURELY showed everyone that
computer systems are not secure, and that security IS a thing one has to be
aware of.  Just imagine what would have happened if the worm/virus had
contained some nasty code to destroy files or the like.  The sendmail bug
certainly gave the worm access rights to destroy mail and eventually other
vital system information.

I'd be careful in generally judging hackers as bad guys.  Better think about
the possibilties bugs can give to your favoured opponent.  Every hour spent
in the last week to get rid of the worm is a good investment in the security
of future software products.

Let's be happy that it is over, and that the Internet is now more secure.

	Hans

-- 
Hans H. Huebner, netmbx     | PSIMail: PSI%026245300043100::PENGO
Woerther Str. 36            | DOMAIN:  pengo@tmpmbx.UUCP
D-1000 Berlin 20, W.Germany | Bang:    ..!{pyramid,unido}!tmpmbx!pengo
Phone: (+49 30) 332 40 15   | BITNET:  huebner@db0tui6

pda@stiatl.UUCP (Paul Anderson) (11/08/88)

In article <367@execu.UUCP> dewey@execu.UUCP (Dewey Henize) writes:
>In article <361@itivax.UUCP> scs@itivax.UUCP (Steve C. Simmons) writes:
>>
>>...a big Thanks to all the folks...  We're in your debt, folks.
>>Steve Simmons, Systems Support Mgr, ITI
>
>On the next area of consideration, who's gonna get hold of the bastard
>that caused this and beat the shit out of him?  
> Dewey Heinze

Yes, my thanks too.  But I disagree with trashing the kid.  He did nothing
more than walk in the front door of you house and let all the hot air out.

The worm did nothing except scare the shit out of a lot of
people.  What if it had done something *BAD*?  I know, we don't know 
yet...  But it could have shut the country down!  We should panic, yes!
And get our security up to snuff.  "Would the Russians have been so 
nice?"  I betcha they knew how to do this one for a while.  So while you
are all panicing over a *NULL* statement,  give some thought to what
would have really happened if there had been some venom to the bite.

I for one, would probably hire the kid.  He shows innovation and I don't
see much of that anymore.

paul
-- 
Paul Anderson		gatech!stiatl!pda		(404) 841-4000
	    X isn't just an adventure, X is a way of life...

john@stiatl.UUCP (John DeArmond) (11/08/88)

In article <1252@stiatl.UUCP> pda@stiatl.UUCP (Paul Anderson) writes:
>In article <367@execu.UUCP> dewey@execu.UUCP (Dewey Henize) writes:
>>In article <361@itivax.UUCP> scs@itivax.UUCP (Steve C. Simmons) writes:
>>>
>>>...a big Thanks to all the folks...  We're in your debt, folks.
>>>Steve Simmons, Systems Support Mgr, ITI
>>
>>On the next area of consideration, who's gonna get hold of the bastard
>>that caused this and beat the shit out of him?  
>> Dewey Heinze
>
>Yes, my thanks too.  But I disagree with trashing the kid.  He did nothing
>more than walk in the front door of you house and let all the hot air out.
>
>The worm did nothing except scare the shit out of a lot of
>people.  

>Paul Anderson

I'd like to echo Paul's sentiment.  This kid probably did the network one
of the biggest favors possible - it opened our eyes - maybe.  

I'm fairly new to Unix, having worked with it for about 2 years now (That's
rite, boys and girls, i went to school BU [before unix]) so my opinions 
are a mix of relative neophyte and experienced administrator.  One of the 
things that has marveled me is the incredibly poor documentation for unix.
Another is the almost incredible tolerance for known bugs and problems.  
After all, it's hacker-macho to be able to come up with the cleverest
workaround to a problem.  

Judging from the postings I've seen the last few days, the openings he
exploited have been known for quite some time.  One posting I saw was
a repost of a discussion over 2 YEARS OLD!  In other words, we've known
these holes were there and, for the most part, ignored them.  I can 
understand a commercial, object-only site like ours being slow in
fixing such problems within binaries but there is little excuse for the
source licensees to have been bitten.  I don't want to sound negative and
I don't want to offend anybody but these things need to be said.

Yeah, sure, you lost some sleep and it was a pain in the ass, and the 
network was down for a day and so on.. but look at the up side of the 
issue.  AT THE LEAST, the following happened:

1.	An blantant hole was exposed for all to see.
2.	Rapid response procedures were given a good workout.
3.	Disaster control procedures were exercized.
4.	Much beneficial discussion has taken place and will take place regarding
	this issue.
5.	Hopefully some new attitudes about reasonable security willbe
	formed.
6.	Maybe some needed changes to both Unix and the internet will be
	implemented.
7.	The awareness among the user body concerning security will be
	heightened.

	Probably the WORST thing that could happen is for the government to 
make a knee jerk reaction, heavily restricting the Internet, and then
assume that peace, harmony and security have been re-established.  Lets hope
with all our might this does not happen.

As far as the kid goes, I think the appropriate response should be to 
punish him a bit, not for the worm itself, but for taking the chance he
did with a bug causing REAL damage.  Perhaps a year suspension from school
while working in the community.  Then we ought to give the kid a medal!
After all, he's done in a couple of days what years of preaching by high-
powered consultants and officials have not been able to do - spotlight 
reasonable security.  THEN we all ought to get down on our knees 
and thank our stars that the kid was not bent on destruction.

dewey@execu.UUCP (Dewey Henize) (11/08/88)

In article <1294@tmpmbx.UUCP> pengo@tmpmbx.UUCP (Hans H. Huebner) writes:
>In article <367@execu.UUCP> dewey@execu.UUCP (Dewey Henize[me]) writes:
>>On the next area of consideration, who's gonna get hold of the bastard
>>that caused this and beat the shit out of him?  Having a daddy that's a 
>>supposedly high security muckety-much should, if anything, imply that the
>>[censored] should know a lot better...  And its not like the law is gonna
>>do much, the isn't even a clear picture of what laws are broken by ruining
>>the days of hundreds or thousands of people..

>Maybe you should better thank this guy as well, since he revealed some
>nasty bugs in widespread operating systems.  He SURELY showed everyone that
>computer systems are not secure, and that security IS a thing one has to be
>aware of.  Just imagine what would have happened if the worm/virus had
>contained some nasty code to destroy files or the like.  The sendmail bug
>certainly gave the worm access rights to destroy mail and eventually other
>vital system information.
>[...]
>
>Let's be happy that it is over, and that the Internet is now more secure.
>
>	Hans
>
>-- 
>Hans H. Huebner, netmbx     | PSIMail: PSI%026245300043100::PENGO


Hans, you're a much nicer guy than I am.  I learned a long time ago that to
be secure, you close your system off from the outside world, otherwise you
cannot be really secure.  Sorry, this didn't really do much in anything like
a nice way.

Yes, there are holes - and I'll bet you that while these get patched pretty
darned quickly, there will be more and more as time goes on.  So?  Does that
mean to you the best way to aid security is to waste thousands of hours of
other people?  I doubt you mean that.

Think this through.  If this clown had really been even remotely inclined to
do anything resembling help people, there are literally hundreds of other
scenarios that he could have chosen.

I know that if someone really wants to, they can go into the parking area here
and slash a few hundred tires.  We don't have 24 hour a day security, because
most responsible people know better, and a large part of what's left are also
aware that doing it and getting caught will do bad things to their personal
wealth, freedom, and possibly health.  Yes, a few people in the world do that
kind of thing - we call them criminals or outlaws, not 'hackers'.  I still
feel that this kind of person, whether they do it with programs or do it with
other impliments, is maliciously damaging other people's property.  And that
it is WRONG for it to be blown off with 'Well, gee, now we know about that'.

If we are lucky, Morris will be sued to the point that his personal fortune
will be totally taken from him and he will be blackballed from anything 
even resembling a responsible job for the rest of his life.  And also we can
hope that this punishment will be widely publicizes such that the very large
number of people that think this kind of thing is a fun thing to try will
have major second thoughts.

This won't stop it, no, I recognise that.  It WILL cut it down a lot, though,
and will give the people who do try to limit this kind of damage a fighting
chance.  This thing wasn't a one-night, 'gee, wonder if this would work' 
episode - it simply wasn't spur of the moment or impulsive.  It was a deliberate
attempt to cause great disruption, MAYBE more than he intended but definately
an attempt to misuse the implied trust of a widely cooperating community.  He
basically showed that he's not interested in being a part of that community
as far as his responsibility to it is concerned - the only part he wants is
the support to him.

Followups to alt.flame, please.

Dewey Henize

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
| There is nothing in the above message that can't be explained by sunspots.  |
|                   execu!dewey             Dewey Henize                      |
|         Can you say standard disclaimer?  I knew you could.  Somehow...     |

bowen@cs.Buffalo.EDU (Devon E Bowen) (11/08/88)

In article <1294@tmpmbx.UUCP> pengo@tmpmbx.UUCP (Hans H. Huebner) writes:
>Maybe you should better thank this guy as well, since he revealed some
>nasty bugs in widespread operating systems.  He SURELY showed everyone that
>computer systems are not secure, and that security IS a thing one has to be
>aware of.

People keep saying this. Fact is, I already knew that computer systems are
not secure. I knew that the Internet is not secure. I knew that sendmail is
one of the most insecure mailers around. And I sure hope no one out there
thought differently even before the worm. He didn't teach me a whole lot. He
just wasted my time. And I'm not going to thank someone for wasting my time.


Devon Bowen (KA2NRC)		FAX:	   (716) 636-3464
University at Buffalo		BITNET:    bowen@sunybcs.BITNET
				Internet:  bowen@cs.Buffalo.EDU
UUCP: ...!{ames,boulder,decvax,rutgers}!sunybcs!bowen

per@kps.UUCP (Per Ejeklint /EFS) (11/08/88)

>
>I'd be careful in generally judging hackers as bad guys.  Better think about
>the possibilties bugs can give to your favoured opponent.  Every hour spent
>in the last week to get rid of the worm is a good investment in the security
>of future software products.
>
>Let's be happy that it is over, and that the Internet is now more secure.
>
>	Hans
>

I agree with You Hans. Curiosity is a curse that often blinds people.
Our little hacking brat was pushed by his own curiosity beyound the limit
of common sense. A grown up person with some experience of life should
make the desicion that the "test" would cause to much trouble to other
people. And if he had found out a weakness that can be used by guys 'up
to no good', he would just post his results to various channels and
in that way open the eyes of the others.
But the most effective way to focus on fatal bugs like this one is 
probably to do what he did. Still, I doubt that his purpose was that
"good". I think he was curious, just curious.
Maybe we should arrange "Do-something-evil-contests" where hacking brats
could compete in destroying things (given a stand-alone computer), and then
use the results as a feedback to sysadmins (and security daddies).

I'm sure that our little star of this month (You know who) has some
interesting things to say, so if You read this, send me a mail!

Per Ejeklint
Stockholm, Sweden

numccann@ndsuvax.UUCP (Lester I. McCann) (11/09/88)

In article <270@eda.com> jim@eda.com (Jim Budler) writes:
>
>For now I feel these two security lists are to be *actively* encouraged
>perhaps now they can actually be funded. It sounds like they are going
>to be set up as a cooperating duo, one open, but carrying details only
>on how to close holes, with an attempt to not convey information to
>aid breaking. The other is the problem. With my corporate charter, I
>need the more detailed, but the qualification *has* to be tighter.
>
>uucp:     {decwrl,uunet}!eda!jim        Jim Budler
>internet: jim@eda.com                   EDA Systems, Inc.

I think it would be a mistake to selectively censor security information.
It gives me the feeling that a certain priviledged few will get to
say that the rest of us can't handle the knowledge.  In this situation
one can make a case that such caution is warranted, but I fear that this
setup may encourage even more stalling on security modifications.  I can
envision some system administrators becoming overconfident because they
believe no one but other sysadmins know where the bugs are.  And if no one
else knows, why spend the time and money to fix the problems?

I'm not saying that any of this will actually happen.  But, I do think that
if everyone knows about the problems and if they are discussed openly, we'll
all be more knowledgable about the risks, we'll be better able to deal
with possible future troubles, and we'll be better able to prevent a
repeat performance.

Lester McCann
numccann@plains.nodak.edu
numccann@ndsuvax.bitnet

cl@datlog.co.uk (Charles Lambert) (11/09/88)

In article <367@execu.UUCP> dewey@execu.UUCP (Dewey Henize) writes:
>
>On the next area of consideration, who's gonna get hold of the bastard
>that caused this and beat the shit out of him?

Well, I'm not sure I go along with that.  No actual harm done besides the
results of our own panic.  In the end,  a benign worm revealed a nasty hole
in the security.

Now, about that panic:  who's gonna put together a cogent,  readable press
release to counter all the sensational tripe that the media have been
inventing,  in their benighted ignorance?  Something that conveys the idea
that we're not a mob of moon-eyed boffins at the mercy of our machines.

Charlie

jmc@ptsfa.PacBell.COM (Jerry Carlin) (11/09/88)

In article <2517@cs.Buffalo.EDU> bowen@sunybcs.UUCP (Devon E Bowen) writes:
>... I knew that sendmail is
>one of the most insecure mailers around. And I sure hope no one out there
>thought differently even before the worm. He didn't teach me a whole lot. He
>just wasted my time...

Being mostly a V-oid, I did not know sendmail was holey. Anyone who did 
and did not contribute to getting it fixed is at least as guilty
as the perpetrator. 

There is a legal concept of an 'attractive nuisance' typically applied to 
kids getting drowned because there was not a good fence in front of 
the swimming pool. It applies here.

I'm getting really tired of 'we' (the in crowd) knew there was a problem
so we did not feel we had to do anything. The rest of us did not know the
problem existed.

The arguement that 'why should we fix anything because there will be some
holes in the future' is equivalent to 'why should we have medicine because
there will always be disease'. It does not wash.

-- 
Jerry Carlin (415) 823-2441 {bellcore,sun,ames,pyramid}!pacbell!jmc
To dream the impossible dream. To fight the unbeatable foe.

netnews@pikes.Colorado.EDU (Robert Sklar) (11/09/88)

In article <1294@tmpmbx.UUCP> pengo@tmpmbx.UUCP (Hans H. Huebner) writes:
>In article <367@execu.UUCP> dewey@execu.UUCP (Dewey Henize) writes:
>I'd be careful in generally judging hackers as bad guys.  Better think about
>the possibilties bugs can give to your favoured opponent.  Every hour spent
>in the last week to get rid of the worm is a good investment in the security
>of future software products.
>
>Hans H. Huebner, netmbx     | PSIMail: PSI%026245300043100::PENGO

Here Here!!  Not only is the net much more secure now, but this should
teach us all a lesson and point out the potential for something much
worse from happening in the future.  This makes a message loud and clear 
as it cought alot of people with their pant's down.  With the speed of
the Internet now our vulnerability really stands out.

Also a Big Thanks to the people at Berkeley who worked for 36 straight hours
on fixing and releasing the patches to help make the Internet safe once again.

AND GET YOUR DEFINITION OF HACKER RIGHT!!  (A pet peeve of mine)  :-)


-- 
Robert M. Sklar - News Administrator @ CU-Denver
UUCP: {whatever}!boulder!pikes!netnews
CSN: netnews@pikes.Colorado.EDU  BITNET: netnews@cudenver.BITNET
***** Ignore These Four Words *****

dtynan@sultra.UUCP (Der Tynan) (11/09/88)

In answer to all these people who've said we should thank the guy for putting
the worm in the system, which scared the living daylights out of a *lot* of
system administrators this weekend, I have the following comments;

First, a topical joke;

Q:	What's worse than finding a 'worm' in your 'Apple'?

A#1:	Finding *half* a worm (think about it).

A#2:	Knowing that the author will get away with a mere 'slap on the wrist'.


Consider the following fictional analogy;

"TCPVILLE, IP -- An armed gunman opened fire on the customers in a local fast
food franchise, this morning.  The gunman, armed with an Ouzi, and several
handguns began shooting at random, aiming above the heads of the terrified
customers.  Luckily, no-one was hurt, but local authorities say the damages
may exceed $1M, not including any lawsuits on behalf of the victims.  Several
parked cars were destroyed, along with some fast food equipment, and most of
the plate-glass in the restaurant.  A spokesman for the fast food chain issued
a public 'thank you' to the gunman, for exposing serious weaknesses in the
chains security policy.  Furthermore, the spokesman announced stricter security
regulations, including 'strip searches' for future patrons, and armed guards
at every entrance."

Get the point?  What's more, my worst nightmare has come true.  Last night,
a TV anchor referred to Morris as a 'Computer Mastermind'.  Really?  What
would they have called him if his program had actually worked.  Most networks
in this country, including the banking networks, are not totally impervious
to such attacks.  The 'failsafe' security is that this kind of CRIME is a
federal offence.  This is what keeps most 'crackers' away from this kind of
thing.  Sure, he exposed some serious weaknesses in the overall security, but
it would have been a *lot* better if he had just mailed his findings to the
appropriate people.  What he did will have serious long-term repercussions.
In an ideal environment, we might just take his findings, and make the system
secure, but in reality, a lot of not-so-computer-literate managers are going
to review their INTERNET (and USENET) policies.  My wife and I have a bet
going; she says that Morris will get a high-paying job in some network
company.  I say his resume ain't worth beans.  If he *does* get 'the ultimate
job', want to guess how many *more* attacks there'll be in the coming years?
						- Der
-- 
	dtynan@Tynan.COM  (Dermot Tynan @ Tynan Computers)
	{apple,mips,pyramid,uunet}!zorba.Tynan.COM!dtynan

 ---  God invented alcohol to keep the Irish from taking over the planet  ---

rcj@moss.ATT.COM (11/09/88)

In article <368@execu.UUCP> dewey@execu.UUCP (Dewey Henize) writes:
}Followups to alt.flame, please.

Even if we got the alt groups, I couldn't allow you to make such
inflammatory comments in these newsgroups and then skulk off to
alt.flame -- you're the one advocating that Bob Morris "face the
music"; right now it's your turn!  ;-)

}Hans, you're a much nicer guy than I am.  I learned a long time ago that to
}be secure, you close your system off from the outside world, otherwise you
}cannot be really secure.  Sorry, this didn't really do much in anything like
}a nice way.

No, you can't be *really* secure.  But you can have a relatively secure
system without HUGE GAPING holes like the one Bob Morris exploited.

}Yes, there are holes - and I'll bet you that while these get patched pretty
}darned quickly, there will be more and more as time goes on.  So?  Does that

And why are these holes being patched so quickly?  Why weren't they patched
before now?  Because no one had exploited them *that we know of*, and we
were just damned lucky that the first person who did so wasn't malicious.

}Think this through.  If this clown had really been even remotely inclined to
}do anything resembling help people, there are literally hundreds of other
}scenarios that he could have chosen.

Like what?  Name one.  You cannot in good conscience expose a major security
hole unless you reasonably sure that whoever you tell about it is not only
trustworthy, but can be counted on to disseminate the information quickly
and reliably to *all* systems that have the hole.  If you can look in your
Official Internet Directory and give me the number of the Computer Security
Agency for All of the Internet then I'll acquiesce.

}I know that if someone really wants to, they can go into the parking area here
}and slash a few hundred tires.  We don't have 24 hour a day security, because
}most responsible people know better, and a large part of what's left are also
}aware that doing it and getting caught will do bad things to their personal
}wealth, freedom, and possibly health.  Yes, a few people in the world do that
}kind of thing - we call them criminals or outlaws, not 'hackers'.  I still

Another horribly inaccurate analogy.  Let's see if we can rectify that.
Let's say everyone has one of those 5-button combination locks on their
car doors -- the kind that Ford and others had on luxury cars where you
could punch in a 5-number combination to unlock the driver's door, then
follow that with another digit to pop the trunk.

Now let's say someone comes into your unguarded parking lot full of LOCKED
cars, opens everyone's trunk, jacks up each car, takes off each car's
rear tires and locks the tires and lug nuts back in the trunk.

You all come out and see this and are appalled and outraged.  Other
owners of the same type of cars are frightened -- how did this person
do it?  You discover that the maker of the cars, in its infinite
carelessness/stupidity, has assigned the same combination to ALL of
the cars!

Now, each car owner has to unlock the trunk, drag out the tires and lug
nuts, and put the tires back on.  And each driver goes to a service
center at a carmaker X dealership and gets a custom combination.

Was time and effort wasted?  Yes.
Was any damage done?  No!
Are the cars now completely secure from theft?  No.
Were many probable future thefts of valuables from locked cars
prevented?  Yes!

It's a bit more complicated than tire-slashing.

}If we are lucky, Morris will be sued to the point that his personal fortune
}will be totally taken from him and he will be blackballed from anything 
}even resembling a responsible job for the rest of his life.  And also we can
}hope that this punishment will be widely publicizes such that the very large
}number of people that think this kind of thing is a fun thing to try will
}have major second thoughts.

I just *love* people who advocate making an example of one particular
individual despite the injustice that implies.  I hope you get stopped
for speeding someday and they decide to give you 5 years in prison so
"the very large number of people that think this kind of thing is a fun
thing to try will have major second thoughts."

bowen@cs.Buffalo.EDU (Devon E Bowen) (11/09/88)

In article <4578@ptsfa.PacBell.COM> jmc@ptsfa.PacBell.COM (Jerry Carlin) writes:
>Being mostly a V-oid, I did not know sendmail was holey. Anyone who did 
>and did not contribute to getting it fixed is at least as guilty
>as the perpetrator. 
>
>I'm getting really tired of 'we' (the in crowd) knew there was a problem
>so we did not feel we had to do anything. The rest of us did not know the
>problem existed.

Never let it be said that I don't do my part...

I'm writing this as a public notice that the sendmail daemon is still a
security hole. If you feel strongly about this, please shut off your sendmail
daemon. I prefer to run mine so that I can continue to receive mail via the
Internet.

>The arguement that 'why should we fix anything because there will be some
>holes in the future' is equivalent to 'why should we have medicine because
>there will always be disease'. It does not wash.

That's not the argument I make. My argument is that I'd rather spend my
time making advancements in the field of computer science than patching
security holes. I think you'll agree that what I do with my time and efforts
is my business.

I don't think that one of these scares every couple of years is worth the
bother. Sure, if it had been a virus and had wiped out my disks, it would
have been a pain and I would have had to restore from tape dumps. But being
paranoid takes a lot of time, too. And I don't think it's worth it.

If you want every ounce of security you can get, you should be running VMS.
I'll stick with BSD, though.


Devon Bowen (KA2NRC)		FAX:	   (716) 636-3464
University at Buffalo		BITNET:    bowen@sunybcs.BITNET
				Internet:  bowen@cs.Buffalo.EDU
UUCP: ...!{ames,boulder,decvax,rutgers}!sunybcs!bowen

henry@utzoo.uucp (Henry Spencer) (11/11/88)

In article <2548@cs.Buffalo.EDU> bowen@sunybcs.UUCP (Devon E Bowen) writes:
>I'm writing this as a public notice that the sendmail daemon is still a
>security hole. If you feel strongly about this, please shut off your sendmail
>daemon. I prefer to run mine so that I can continue to receive mail via the
>Internet.

The latter does not imply the former.  There is at least one implementation
of SMTP that does not require sendmail.  It was, I believe, posted to
comp.sources.misc a little while ago.  It definitely works; although it may
be a bit crude, it's in production on several sites.

The amount of effort that has gone into maintaining sendmail, over the
net as a whole, could have written half a dozen high-quality implementations
of SMTP by now.  It continues to amaze me that people claim there is no
alternative to sendmail.
-- 
Sendmail is a bug,             |     Henry Spencer at U of Toronto Zoology
not a feature.                 | uunet!attcan!utzoo!henry henry@zoo.toronto.edu