Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!cs.utexas.edu!tut.cis.ohio-state.edu!ucsd!ucsdhub!hp-sdd!hp-pcd!hpcvlx!harry
From: terminal info wanted info wanted
Newsgroups: comp.windows.x
Subject: Re: HP server binary viruses?
Message-ID: <100920152@hpcvlx.cv.hp.com>
Date: 17 Jan 90 23:18:32 GMT
References: <90004@elsie.UUCP>
Organization: Hewlett-Packard Co., Corvallis, OR, USA
Lines: 45

Bob Sutterfield writes:

> You sound very certain of the security of your distribution mechanism,
> and I believe you to be sincere in your assertions.

I'm very certain of the distribution mechanism up to putting the
binaries into the build tree at MIT.  Obviously from that point on, the
binaries were outside the control of HP.  I guess you'd have to judge
whether or not to trust the other people in the chain (i.e.  the MIT X
Consortium staff if you retrieved it from expo or got it on tape).


> However: Are you sure that the binaries that are there now are the
> same ones you put there?  Please, distribute either source or a
> checksum on the files.  Alas, neither mail nor news are secure, nor
> would a CHECKSUM file (found in the directory beside the files of
> interest) be immune to tampering.  

So how do you suggest we distribute the checksum?  I'm perfectly willing
to give out the checksums for the files, but what mechanism would you
trust?  If we had supplied source, would you have checked for the
existence of viruses and worms?


> If you were to call me on the telephone and personally read me the
> checksum numbers, I would have no way to verify that you are who you
> claim to be.

If you are sincerely concerned about this, and have a need to use our R4
binaries, you can call me - (503)750-2598, Or simply call the main
Corvallis site number (quite verifiable) - (503)757-2000 and ask to
speak to me.


> Personally, I wouldn't use binaries found lying about hither and yon.
> If I don't get it on a tape of known origin, or build it from sources,
> I don't run it.
> While HP's intent is laudable, their implementation is impractical.

While I certainly understand your concern, I would contend that the R4
distribution tape from the MIT X Consortium _is_ a tape of known origin.
If you feel uneasy about using the binaries acquired through ftp, then
get the tape.  If you still have problems, call me.

Harry Phinney