ado@elsie.UUCP (Arthur David Olson) (01/16/90)
Has anyone checked the HP server binaries for viruses, worms, et al.? -- 1972: Canada has no Saturn V equivalent 1990: Canada has no Saturn V equivalent Arthur David Olson ado@alw.nih.gov ADO is a trademark of Ampex.
harry@hpcvlx.cv.hp.com (Harry Phinney) (01/17/90)
> Has anyone checked the HP server binaries for viruses, worms, et al.? > Arthur David Olson ado@alw.nih.gov ADO is a trademark of Ampex. I guess I can understand someone from NIH being concerned with viruses :-) While there certainly may be ordinary bugs in them, I assure you there is no insidious worm or virus embedded there. These binaries are supplied by the Hewlett-Packard Company, and were done by the same people who produce the HP product server (myself included). There is no more chance of a worm in these binaries than in any other program within HP-UX. Harry Phinney harry@hp-pcd.cv.hp.com
bob@MorningStar.Com (Bob Sutterfield) (01/17/90)
In article <100920150@hpcvlx.cv.hp.com> harry@hpcvlx.cv.hp.com (Harry Phinney) writes: > Has anyone checked the HP server binaries for viruses, worms, et al.? > Arthur David Olson ado@alw.nih.gov ADO is a trademark of Ampex. While there certainly may be ordinary bugs in them, I assure you there is no insidious worm or virus embedded there. These binaries are supplied by the Hewlett-Packard Company, and were done by the same people who produce the HP product server (myself included). There is no more chance of a worm in these binaries than in any other program within HP-UX. You sound very certain of the security of your distribution mechanism, and I believe you to be sincere in your assertions. There's no reason to believe that the binaries you placed there are anything other than as you describe, and the Hewlett-Packard Company name is certainly venerable and worthy of confidence. The very fact that they are willing to distribute the sweat of their brow for free speaks well of them. However: Are you sure that the binaries that are there now are the same ones you put there? Please, distribute either source or a checksum on the files. Alas, neither mail nor news are secure, nor would a CHECKSUM file (found in the directory beside the files of interest) be immune to tampering. If you were to call me on the telephone and personally read me the checksum numbers, I would have no way to verify that you are who you claim to be. Personally, I wouldn't use binaries found lying about hither and yon. If I don't get it on a tape of known origin, or build it from sources, I don't run it. While HP's intent is laudable, their implementation is impractical.
Ed@ALDERAAN.SCRC.SYMBOLICS.COM (Ed Schwalenberg) (01/18/90)
Date: 17 Jan 90 15:31:17 GMT From: mstar!mstar.morningstar.com!bob@ohio-state.arpa (Bob Sutterfield) Personally, I wouldn't use binaries found lying about hither and yon. If I don't get it on a tape of known origin, or build it from sources, I don't run it. But how do you know the sources don't have viruses or whatever? Even assuming you read every line of the 69 Megabytes of source for the software you use before you run it, it's easy enough for a malicious hacker to disguise his work in source code. It is computationally impossible to verify C programs. Without a computational solution, we're left with legal remedies and hope. If the legal remedies are effective, litigation arising from a "successful" virus could bankrupt even a large company like HP. That leaves hope. The only thing today's software user can do to protect himself is exercise reasonable judgement in selecting software (I don't presume to say whether using HP's binaries or MIT's sources is reasonable or not) and HOPE that there's no malicious code secreted within. The emperor is naked. If you look hard, you can see it for yourself.
bob@morningstar.COM (01/18/90)
Date: Wed, 17 Jan 90 13:05 EST From: Ed Schwalenberg <Ed@ALDERAAN.SCRC.Symbolics.COM> Date: 17 Jan 90 15:31:17 GMT From: mstar!mstar.morningstar.com!bob@ohio-state.arpa (Bob Sutterfield) (Hmmm... I wonder how that "ohio-state.arpa" snuck in there? That name was retired several years ago when we unplugged our VAX!) But how do you know the sources don't have viruses or whatever? Even assuming you read every line of the 69 Megabytes of source for the software you use before you run it, it's easy enough for a malicious hacker to disguise his work in source code. True enough. I don't read all the code I run. But in a community of software sharers, if the code can be read there's a higher probability that someone (me or someone else) will find it someday. That makes the malicious person's job *much* more difficult than just diddling with binaries. I don't want to read all that source; I just want to be able to. If the legal remedies are effective, litigation arising from a "successful" virus could bankrupt even a large company like HP. But since nobody can prove that HP stuck the virus into the binary, nobody can pick their pockets. Their lawyers would just need to find someone even moderately knowledgeable (heck, even *I* thought of it!) to stand up in court and rattle off a half-dozen ways that the binaries *could* have been molested. The only thing today's software user can do to protect himself is exercise reasonable judgement in selecting software and HOPE that there's no malicious code secreted within. That's why I'd rather use programs for which the source is freely available and in regular use by a community of talented people sharing their work. It improves my odds.
terminal info wanted info wanted (01/18/90)
Bob Sutterfield writes: > You sound very certain of the security of your distribution mechanism, > and I believe you to be sincere in your assertions. I'm very certain of the distribution mechanism up to putting the binaries into the build tree at MIT. Obviously from that point on, the binaries were outside the control of HP. I guess you'd have to judge whether or not to trust the other people in the chain (i.e. the MIT X Consortium staff if you retrieved it from expo or got it on tape). > However: Are you sure that the binaries that are there now are the > same ones you put there? Please, distribute either source or a > checksum on the files. Alas, neither mail nor news are secure, nor > would a CHECKSUM file (found in the directory beside the files of > interest) be immune to tampering. So how do you suggest we distribute the checksum? I'm perfectly willing to give out the checksums for the files, but what mechanism would you trust? If we had supplied source, would you have checked for the existence of viruses and worms? > If you were to call me on the telephone and personally read me the > checksum numbers, I would have no way to verify that you are who you > claim to be. If you are sincerely concerned about this, and have a need to use our R4 binaries, you can call me - (503)750-2598, Or simply call the main Corvallis site number (quite verifiable) - (503)757-2000 and ask to speak to me. > Personally, I wouldn't use binaries found lying about hither and yon. > If I don't get it on a tape of known origin, or build it from sources, > I don't run it. > While HP's intent is laudable, their implementation is impractical. While I certainly understand your concern, I would contend that the R4 distribution tape from the MIT X Consortium _is_ a tape of known origin. If you feel uneasy about using the binaries acquired through ftp, then get the tape. If you still have problems, call me. Harry Phinney
gjc@mga.COM (George J. Carrette) (01/18/90)
I was wondering Bob, do you have an HP machine on which to run the HP binaries from the R4 tape, or are you just flaming? And what you say about *NOT* being able to have a secure CHECKSUM file (one immune to tampering) either on the tape or distributed by mail just shows your ignorance of the current state of the art of public-key encryption. -gjc
bob@MorningStar.Com (Bob Sutterfield) (01/18/90)
In article <118@eileen.mga.com> gjc@mga.COM (George J. Carrette) calls me on the carpet:
I was wondering Bob, do you have an HP machine on which to run the
HP binaries from the R4 tape, or are you just flaming?
Neither. I noted Mr. Phinney's confidence in the FTPable binaries,
and considered it to be overconfidence in light of anyone's real
ability to know what is in those files. The original question from
Arthur David Olson <ado@alw.nih.gov> was valid and has not been
answered yet.
And what you say about *NOT* being able to have a secure CHECKSUM
file (one immune to tampering) either on the tape or distributed by
mail just shows your ignorance of the current state of the art of
public-key encryption.
You're right, it could be done. But it's not yet.
(I'll be quiet now.)