Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!usc!apple!agate!shelby!helens!baroque!jim From: jim@baroque.Stanford.EDU (James Helman) Newsgroups: comp.sys.sgi Subject: Re: Binary Programs on Info-Iris Message-ID: Date: 25 Sep 90 01:01:47 GMT References: <9009201522.AA00565@> <1990Sep21.175208.266@odin.corp.sgi.com> <6451@castle.ed.ac.uk> Sender: news@helens.Stanford.EDU Organization: Stanford University Lines: 56 In-reply-to: matthew@castle.ed.ac.uk's message of 23 Sep 90 16:34:18 GMT 1) Binaries should not be posted to the net: I have been slated by workmates, quite rightly, for attempting to run Pauls program on our machine. The net is not secure and running binaries straight off it (even if the appear to come from sgi) is not a good idea. The same is true of large source code distributions as well. I have looked at only a small fraction of the source code off the net which I've compiled, some of it installed suid root. Any piece of it could be dangerous, but not necessarily by intention. A good example is the recent XView source code distribution, whose original makefile (which was quickly corrected and disseminated thanks to the net) did an "rm -rf ../../." in response to a "make clean." Another was the gnuemacs makemail security "hole", which resulted from someone incorrectly installing suid root a program which was not designed for and did not need to be installed that way. I think it's important to raise the issue. Sysadmins of lots of machines right on the Internet are too complacent about security, not even bothering to put passwords on user, and often even system, accounts. Others are too paranoid and want to forbid use of any software from the net. They both worry me. Everyone should remember what can happen, even when your machine is running mainstream software: Received: by thrush.STANFORD.EDU (3.2/4.7); Thu, 3 Nov 88 03:36:02 PST Subject: Sun & Vaxen virus ALERT! Date: Thu, 03 Nov 88 03:36:00 PST This evening our cluster of Suns and Vaxen started having a fit. Sluggish. Heavy load. The finger daemons were buzzing and lots of sh's and rsh's started popping up. . . . Yep, someone is spreading a virus across the ethernet by executing a shell commands via sendmail. The shell script compiles and runs a C program which opens an ethernet connection to copy the full virus from an infected machine. Apparently, it then looks for ways to propagate itself to other machines. I've managed to intercept a copy of the receptor program by creating a fake sed. But so far, I haven't been able to get a full copy. This virus doesn't appear to do any damage other than creating a heavy load and possibly crashing the machine when resource limits are exceded. Whether risking network software is worthwhile depends on how much you trust the source and how much you want the software. And most of us want software real bad. Most of the past damage hasn't been caused by malice, but by goofs. Let's hope both consumers and suppliers of code are careful enough to avoid any disasters. It's too valuable an exchange to give up. Jim Helman Department of Applied Physics Durand 012 Stanford University FAX: (415) 725-3377 (jim@KAOS.stanford.edu) Work: (415) 723-9127