Path: utzoo!utgpu!news-server.csri.toronto.edu!mailrus!cs.utexas.edu!sdd.hp.com!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: AGUTOWS@WAYNEST1.BITNET (Arthur Gutowski) Newsgroups: comp.virus Subject: Re: mainframe viruses Message-ID: <0006.9006051151.AA17014@ubu.cert.sei.cmu.edu> Date: 4 Jun 90 14:10:30 GMT Sender: Virus Discussion List Lines: 49 Approved: krvw@sei.cmu.edu craig@tolerant.com (Craig Harmer) writes: >...wasn't there even something on Bitnet (i'm not sure)? i suspect >that MVS and VM have *more* holes than Unix, for the simple reason that >there are less people around looking for holes to exploit. far fewer >people have access to the source, or machines that run it. they cost >more than $1 million each, after all. >...{stuff about VM's frailties deleted}... I believe you're referring to the infamous XMAS (or CHRISTMA) EXEC that could in fact crash VM by filling up it's spool space. But, as with any other system, alert staff here were able to nip it in the bud *before* VM came crashing down (similarly, we have been able to avoid XMAS clones by making the operations staff aware of them as they appear). It is my intuition that any system that has a file transfer mechanism has to have dasd to put files onto, and thus runs the risk of crashing when that dasd area runs dry (I don't know, other systems may handle it better, e.g., by rejecting files when spool space is dry; in fact, I think VM can be set up in this way). As for stepping all the way to class 'A' once you get beyond 'G', I really don't know; VM isn't my specialty. But it seems to me that there would be *some* measures against this built into the system. I disagree with your premise about Unix vs. VM or MVS security, though. MVS has been in development far longer than Unix has been alive (even back beyond the days of MVT), and there are many shops that use MVS and VM (IBM ain't making it on PS/2s alone). Thus, these operating systems have had much more opportunity for people to poke around in them. Not to say they are invincible, mind you, but I think they're less susceptible than Unix. As for the source being readily available, that was a matter of choice, and one that should, and has, been stood by. I wrote a shareware program with a friend, and we decided not to distribute source because we felt it would make it harder for someone to break our code that way. For the same reasons, I'm inclined to believe that building back doors and spreading viruses in Unix is easier with the source readily available. The technical knowledge isn't as necessary as general programming knowledge if the source is there. Again, it is just a matter of choice. Unix was intended to be a programmer's system; as such it does a great job. With all systems, there is a tradeoff between functionality and security, the trick is to find the right balance. /===" Arthur J. Gutowski, System Programmer : o o : MVS & Antiviral Group / WSU University Computing Center : --- : Bitnet: AGUTOWS@WAYNEST1 Internet: AGUTOWS@WAYNEST1.BITNET \===/ AGUTOWS@cms.cc.wayne.edu Have a day. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- "Please all and you will please none." -Aesop