Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!sdd.hp.com!think.com!mintaka!bloom-beacon!ora!minya!jc From: jc@minya.UUCP (John Chambers) Newsgroups: comp.unix.admin Subject: Re: Questions about UNIX viruses Message-ID: <713@minya.UUCP> Date: 20 Apr 91 13:46:25 GMT References: <1991Apr01.203128.13427@esleng.ocunix.on.ca> <579@bria> <14589@ulysses.att.com> Lines: 63 > >I am facing this at my job (which is not at Princeton University). The > >company I work for has a policy of (almost) no internet connections. > >Worse, it has a policy that we are not to have any non-company-owned > >software on our computers. This means no software from Usenet. I > >think the goal may be reasonable, but I think the means are not for two > >reasons: 1. the policy probably won't work, and 2. it restricts free > >exchange of ideas. The latter, in my belief, affects productivity, so > >bottom-line-watchers ought to care about it too. > > I would agree that this is a foolish policy. I can understand their > security fears, but I believe that the free exchange of ideas is > extremely important in a scientific/engineering community. Yeah; this is why historically most scientific advances have come from government and university researchers, not from corporations. The few exceptions are mostly places like Bell Labs, and it's hard to make a convincing argument that AT&T is really a private corporation; it is more of a government department thinly disguised by a veneer of paper to make it look legally private. The Internet arose from the ARPAnet, which was developed mostly at universities (and a few places like BB&N) with government funding. Sun's NFS was developed at Stanford. X windows was developed at MIT (with DEC and IBM funding, true, but with repeated firm statements by MIT people that *nothing* developed there was proprietary). Real advances require open communication among developers; corporations usually don't even allow this internally. > Most successful attacks on UNIX boxes that I know of have come in > straight through the front door. Nothing so fancy as net software > that had secret password cracking stuff in assembler coded into the > error messages that got executed if the machine was a Sun. > > Just look at the fameous Internet Worm. Everything it did relied on > bugs in the vendor supplied software, or in shortcomings in the way > people chose their passwords. If you read any summary of worms/viruses/etc., one thing that really stands out is that almost all of them take advantage of the vendor's supplied software. It's ironic that almost every manager fears the public domain stuff, which has almost never been the source of any problems, while admitting the off-the-shelf commercial stuff, which is where the problems usually originate. This isn't saying that the vendors are at fault, of course. After all, if you were to try to implement a virus, and you wanted it spread, what would you use as a vector? A public-domain program off the net that is recompiled (and hacked) by a few thousand programmers on a wide variety of systems, and who will see your code? Or a vendor's utility, which is delivered in binary form to all of their customers and installed by someone who hasn't even looked at it? Silly question, right? It's especially ironic that there is widespread fear of email and news links as sources of viruses, when the records show clearly that almost all infections are via swapped disks and tapes that contain doctored versions of commercial programs. The perception and the reality here have very little relationship. -- All opinions Copyright (c) 1991 by John Chambers. Inquire for licensing at: Home: 1-617-484-6393 Work: 1-508-486-5475 Uucp: ...!{bu.edu,harvard.edu,ima.com,eddie.mit.edu,ora.com}!minya!jc