ado@elsie.UUCP (Arthur David Olson) (01/16/90)
Has anyone checked the HP server binaries for viruses, worms, et al.? -- 1972: Canada has no Saturn V equivalent 1990: Canada has no Saturn V equivalent Arthur David Olson ado@alw.nih.gov ADO is a trademark of Ampex.
harry@hpcvlx.cv.hp.com (Harry Phinney) (01/17/90)
> Has anyone checked the HP server binaries for viruses, worms, et al.? > Arthur David Olson ado@alw.nih.gov ADO is a trademark of Ampex. I guess I can understand someone from NIH being concerned with viruses :-) While there certainly may be ordinary bugs in them, I assure you there is no insidious worm or virus embedded there. These binaries are supplied by the Hewlett-Packard Company, and were done by the same people who produce the HP product server (myself included). There is no more chance of a worm in these binaries than in any other program within HP-UX. Harry Phinney harry@hp-pcd.cv.hp.com
bob@MorningStar.Com (Bob Sutterfield) (01/17/90)
In article <100920150@hpcvlx.cv.hp.com> harry@hpcvlx.cv.hp.com (Harry Phinney) writes: > Has anyone checked the HP server binaries for viruses, worms, et al.? > Arthur David Olson ado@alw.nih.gov ADO is a trademark of Ampex. While there certainly may be ordinary bugs in them, I assure you there is no insidious worm or virus embedded there. These binaries are supplied by the Hewlett-Packard Company, and were done by the same people who produce the HP product server (myself included). There is no more chance of a worm in these binaries than in any other program within HP-UX. You sound very certain of the security of your distribution mechanism, and I believe you to be sincere in your assertions. There's no reason to believe that the binaries you placed there are anything other than as you describe, and the Hewlett-Packard Company name is certainly venerable and worthy of confidence. The very fact that they are willing to distribute the sweat of their brow for free speaks well of them. However: Are you sure that the binaries that are there now are the same ones you put there? Please, distribute either source or a checksum on the files. Alas, neither mail nor news are secure, nor would a CHECKSUM file (found in the directory beside the files of interest) be immune to tampering. If you were to call me on the telephone and personally read me the checksum numbers, I would have no way to verify that you are who you claim to be. Personally, I wouldn't use binaries found lying about hither and yon. If I don't get it on a tape of known origin, or build it from sources, I don't run it. While HP's intent is laudable, their implementation is impractical.
Ed@ALDERAAN.SCRC.SYMBOLICS.COM (Ed Schwalenberg) (01/18/90)
Date: 17 Jan 90 15:31:17 GMT
From: mstar!mstar.morningstar.com!bob@ohio-state.arpa (Bob Sutterfield)
Personally, I wouldn't use binaries found lying about hither and yon.
If I don't get it on a tape of known origin, or build it from sources,
I don't run it.
But how do you know the sources don't have viruses or whatever? Even
assuming you read every line of the 69 Megabytes of source for the
software you use before you run it, it's easy enough for a malicious
hacker to disguise his work in source code.
It is computationally impossible to verify C programs. Without a
computational solution, we're left with legal remedies and hope.
If the legal remedies are effective, litigation arising from a
"successful" virus could bankrupt even a large company like HP.
That leaves hope.
The only thing today's software user can do to protect himself is
exercise reasonable judgement in selecting software (I don't presume
to say whether using HP's binaries or MIT's sources is reasonable or
not) and HOPE that there's no malicious code secreted within.
The emperor is naked. If you look hard, you can see it for yourself.bob@morningstar.COM (01/18/90)
Date: Wed, 17 Jan 90 13:05 EST
From: Ed Schwalenberg <Ed@ALDERAAN.SCRC.Symbolics.COM>
Date: 17 Jan 90 15:31:17 GMT
From: mstar!mstar.morningstar.com!bob@ohio-state.arpa (Bob Sutterfield)
(Hmmm... I wonder how that "ohio-state.arpa" snuck in there? That
name was retired several years ago when we unplugged our VAX!)
But how do you know the sources don't have viruses or whatever?
Even assuming you read every line of the 69 Megabytes of source for
the software you use before you run it, it's easy enough for a
malicious hacker to disguise his work in source code.
True enough. I don't read all the code I run. But in a community of
software sharers, if the code can be read there's a higher probability
that someone (me or someone else) will find it someday. That makes
the malicious person's job *much* more difficult than just diddling
with binaries. I don't want to read all that source; I just want to
be able to.
If the legal remedies are effective, litigation arising from a
"successful" virus could bankrupt even a large company like HP.
But since nobody can prove that HP stuck the virus into the binary,
nobody can pick their pockets. Their lawyers would just need to find
someone even moderately knowledgeable (heck, even *I* thought of it!)
to stand up in court and rattle off a half-dozen ways that the
binaries *could* have been molested.
The only thing today's software user can do to protect himself is
exercise reasonable judgement in selecting software and HOPE that
there's no malicious code secreted within.
That's why I'd rather use programs for which the source is freely
available and in regular use by a community of talented people sharing
their work. It improves my odds.terminal info wanted info wanted (01/18/90)
Bob Sutterfield writes: > You sound very certain of the security of your distribution mechanism, > and I believe you to be sincere in your assertions. I'm very certain of the distribution mechanism up to putting the binaries into the build tree at MIT. Obviously from that point on, the binaries were outside the control of HP. I guess you'd have to judge whether or not to trust the other people in the chain (i.e. the MIT X Consortium staff if you retrieved it from expo or got it on tape). > However: Are you sure that the binaries that are there now are the > same ones you put there? Please, distribute either source or a > checksum on the files. Alas, neither mail nor news are secure, nor > would a CHECKSUM file (found in the directory beside the files of > interest) be immune to tampering. So how do you suggest we distribute the checksum? I'm perfectly willing to give out the checksums for the files, but what mechanism would you trust? If we had supplied source, would you have checked for the existence of viruses and worms? > If you were to call me on the telephone and personally read me the > checksum numbers, I would have no way to verify that you are who you > claim to be. If you are sincerely concerned about this, and have a need to use our R4 binaries, you can call me - (503)750-2598, Or simply call the main Corvallis site number (quite verifiable) - (503)757-2000 and ask to speak to me. > Personally, I wouldn't use binaries found lying about hither and yon. > If I don't get it on a tape of known origin, or build it from sources, > I don't run it. > While HP's intent is laudable, their implementation is impractical. While I certainly understand your concern, I would contend that the R4 distribution tape from the MIT X Consortium _is_ a tape of known origin. If you feel uneasy about using the binaries acquired through ftp, then get the tape. If you still have problems, call me. Harry Phinney
gjc@mga.COM (George J. Carrette) (01/18/90)
I was wondering Bob, do you have an HP machine on which to run the HP binaries from the R4 tape, or are you just flaming? And what you say about *NOT* being able to have a secure CHECKSUM file (one immune to tampering) either on the tape or distributed by mail just shows your ignorance of the current state of the art of public-key encryption. -gjc
bob@MorningStar.Com (Bob Sutterfield) (01/18/90)
In article <118@eileen.mga.com> gjc@mga.COM (George J. Carrette) calls me on the carpet:
I was wondering Bob, do you have an HP machine on which to run the
HP binaries from the R4 tape, or are you just flaming?
Neither. I noted Mr. Phinney's confidence in the FTPable binaries,
and considered it to be overconfidence in light of anyone's real
ability to know what is in those files. The original question from
Arthur David Olson <ado@alw.nih.gov> was valid and has not been
answered yet.
And what you say about *NOT* being able to have a secure CHECKSUM
file (one immune to tampering) either on the tape or distributed by
mail just shows your ignorance of the current state of the art of
public-key encryption.
You're right, it could be done. But it's not yet.
(I'll be quiet now.)