Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!caen!uwm.edu!linac!att!ucbvax!ulysses!ulysses.att.com!cjc From: cjc@ulysses.att.com (Chris Calabrese) Newsgroups: comp.unix.admin Subject: Re: Questions about UNIX viruses Message-ID: <14589@ulysses.att.com> Date: 9 Apr 91 13:19:33 GMT References: <1991Apr01.203128.13427@esleng.ocunix.on.ca> <579@bria> <1991Apr8.062054.11868@newross.Princeton.EDU> Sender: netnews@ulysses.att.com Organization: AT&T Bell Laboratories, Murray Hill Lines: 65 In article <1991Apr8.062054.11868@newross.Princeton.EDU> tr@samadams.princeton.edu (Tom Reingold) writes: [ stuff about security by uunet.bria!mike deleted ...] > >You are right, but missed something. Someone in the corporation may >make the point, valid or not, that publicizing the existence of an >easy-to-get-to machine or login makes it more vulnerable than a machine >or login that is unknown. Connecting well is a form of publicity. >Once you're there, people notice. Posting news makes you much more >noticeable. One way around this problem is to set aside a machine as a gateway. This machine can run news, uucp, etc to the outside world and lets in network traffic from the rest of the sight; however, the rest of the sight doesn't trust it at all. That's what happens here. I read and write news on my desk, (workstation or X terminal connected to a server), and all the stuff happens via nntp on our gateway machine. I can rlogin into the gateway machine, and I can rcp to and from it from my desk, but once I'm logged into the gateway machine I can't rlogin out of it or rcp to/from anywhere. >I am facing this at my job (which is not at Princeton University). The >company I work for has a policy of (almost) no internet connections. >Worse, it has a policy that we are not to have any non-company-owned >software on our computers. This means no software from Usenet. I >think the goal may be reasonable, but I think the means are not for two >reasons: 1. the policy probably won't work, and 2. it restricts free >exchange of ideas. The latter, in my belief, affects productivity, so >bottom-line-watchers ought to care about it too. I would agree that this is a foolish policy. I can understand their security fears, but I believe that the free exchange of ideas is extremely important in a scientific/engineering community. As for the no non-company-owned software thing, I would say that this is almost impossible to enforce in the real world. The ammount of useful software that's available publicly is just too great (the MIT X Windows distribution, GNU software, etc). Many vendors even ship some of this stuff with their systems! A more practical strategy on free software is to openly allow software posted to the moderated net-news groups, and available on "official" distributions (the MIT X distribution, the Columbia Kermit distribution, etc). After that, you can have a more restrictive policy on other forms of free software (like stuff from alt.sources); however, even that should allow that software to make it's way onto the system after the source has been reviewed by the local guru's (or has been accepted by the net.community at large). Most successful attacks on UNIX boxes that I know of have come in straight through the front door. Nothing so fancy as net software that had secret password cracking stuff in assembler coded into the error messages that got executed if the machine was a Sun. Just look at the fameous Internet Worm. Everything it did relied on bugs in the vendor supplied software, or in shortcomings in the way people chose their passwords. Name: Christopher J. Calabrese Brain loaned to: AT&T Bell Laboratories, Murray Hill, NJ att!ulysses!cjc cjc@ulysses.att.com Obligatory Quote: ``pher - gr. vb. to schlep. phospher - to schlep light.philosopher - to schlep thoughts.''