Xref: utzoo comp.protocols.tcp-ip:5183 comp.unix.wizards:12174
Path: utzoo!utgpu!attcan!uunet!seismo!esosun!ucsdhub!ucsd!net1!hutch
From: hutch@net1.ucsd.edu (Jim Hutchison)
Newsgroups: comp.protocols.tcp-ip,comp.unix.wizards
Subject: Crackers and Worms
Keywords: bug reality
Message-ID: <1240@ucsd.EDU>
Date: 7 Nov 88 06:01:10 GMT
References: <1698@cadre.dsl.PITTSBURGH.EDU> <2060@spdcc.COM>
Sender: nobody@ucsd.EDU
Reply-To: hutch@net1.UUCP (Jim Hutchison)
Distribution: na
Lines: 26
Organization:

Unix is not a "secure" system.  No system attached to a network is
entirely secure.  Valid and illicit network transactions can be
identical.  A casual shell expansion here, a little flexibility in
input for a mailer there, ... the system not designed to stop intruders
lets them in.  For security, put the machine in a red Tempest can and
seal it up tight.  Or looked at in another light, more damage could
have been done with a modem and 10 popular women's names!

The type of hole through which a recent Deutschlander climbed, still
exists.  The casual hole.  A broken piece of software that did not
get updated, or came back from a backup when the controller scrawled
wild accusations across the system partition.  Human error is real,
it can not be ignored.  Most importantly, it will happen to you.

Locks are for children and honest people.  It is nice to know that
there are "locks" on the doors of the system.  I don't go out cracking
security, I'm simply not interested.  Almost anyone *can* crack
security.  BSD security is not particulary more ventilated than SysVr*,
or VMS.  Software has bugs.  Get it.  If it fails to deliver a letter,
or lets in "the man with no name", it's still just a bug.

Hopefully this article has not fed any hysteria.

/*    Jim Hutchison   		UUCP:	{dcdwest,ucbvax}!cs!net1!hutch
		    		ARPA:	JHutchison@ucsd.edu
     These are my opinions, and now you have your perceptions of them. */