Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!uunet!stanford.edu!agate!ziploc!eps From: eps@toaster.SFSU.EDU (Eric P. Scott) Newsgroups: comp.sys.next Subject: Re: Can a NeXT catch a *virus* or cold or..? Message-ID: <1767@toaster.SFSU.EDU> Date: 21 Jun 91 09:07:06 GMT References: <618@tansei1.tansei.cc.u-tokyo.ac.jp> <1991Jun20.165657.1304@ohm.york.ac.uk> Reply-To: eps@cs.SFSU.EDU (Eric P. Scott) Organization: San Francisco State University Lines: 72 In article <1991Jun20.165657.1304@ohm.york.ac.uk> nigelm@ohm.york.ac.uk (Nigel Metheringham) writes: >The NeXT, I'm afraid, is a prime candidate for the first widespread >Unix (or Mach to be picky) virus. My reasons for saying this are:- > 1. Most software distribution is done as binaries This is a *serious* problem. That's why many sites won't consider software unless they can inspect the complete source code, or it's Commercial Off The Shelf. Commercial vendors *have* shipped software for Macs and PeeCees containing viruses, so even that's no guarantee. A disclaimer of liability doesn't help much in what can reasonably be considered gross negligence. I guess I should also point out that picking binaries out of FTP "submissions" directories isn't terribly bright, since they are literally world-writable, and it would be trivial for someone to replace a recent submission with a corrupted version. That's why I generally ask archivists to FTP known good copies of my work from one of my sites, and usually remember to post sizes and checksums. (Not perfect, but something of a deterrent.) > 2. I think many people have not read the security related > stuff in the manuals, and still fewer have implemented > them, or used things like COPS, so several people have > machines that are wide open. NeXT *ships* the machines wide open. > 3. I bet that a virus would spread round a teaching lab like > (insert your favourite euphemism) - many people ask what > this new program is, and then run a copy without any > checks as to the source etc... That's not a virus, that's a trojan horse. >Unix systems have been hit by worms and all sorts of other security >nasties, and the NeXT is unlikely to be any better in this respect. NeXT unfortunately doesn't consider this a priority; 2.x still ships with many executables circa ~1985 that were proven to have holes--which were subsequently fixed in -tahoe, -reno, and various intermediate releases. Since the specific problems tend to become ->common knowledge<- once it's ASSUMED that everyone's had time to integrate current versions into their releases, NeXT software *probably* has bugs competing vendors (Sun, DEC, etc.) have long since attended to. How the holes got there to begin with really isn't important; it's how NeXT responds once notified that they are shipping bad product. In my experience, I've found NeXT remarkably unconcerned about attending to security problems. Perhaps they believe that their user base is so unsophisticated that it's just not important? After all, if all you do is "point and click" there's not much trouble you can get into. I'm really worried NeXT is just going to "deemphasize" UNIX and "Macintize" the machine. I don't want an "appliance computer." I want a UNIX workstation, and not one 15-year-olds can tear apart blindfolded with one hand behind their back. >I have not checked for the standard set of holes yet, but I will, You should! >and I hope other people will check for known holes, and inform NeXT >if they find any (whether you should also publish them on the Net is >a long running argument that I am not going to touch). My feeling at this point is that you should publish, or at least carbon copy some "trusted" watchdog (such as CERT) so NeXT doesn't just sweep things under the rug. Accountability is important! -=EPS=-