Xref: utzoo comp.protocols.tcp-ip:5236 comp.unix.wizards:12208
Path: utzoo!attcan!uunet!ncrlnk!ncrcae!hubcap!gatech!purdue!decwrl!labrea!polya!morgan
From: morgan@polya.Stanford.EDU (Robert L. Morgan)
Newsgroups: comp.protocols.tcp-ip,comp.unix.wizards
Subject: Re: a holiday gift from Robert "wormer" Morris
Message-ID: <4906@polya.Stanford.EDU>
Date: 8 Nov 88 19:19:34 GMT
References: <1698@cadre.dsl.PITTSBURGH.EDU> <2060@spdcc.COM> <76424@sun.uucp>
Reply-To: morgan@polya.Stanford.EDU (Robert L. Morgan)
Distribution: na
Organization: Stanford University
Lines: 28


I could only sigh as I telnet'ed to the various machines that I use
here on campus to change my passwords last Friday morning (along with
most other users, no doubt), hoping that some "bored graduate student"
wasn't sucking up the cleartext passwords as they passed across our
various braodcast LANs.

The recent viral event makes it very clear that those of us who
promote the use of network-attached computers in their current
insecure state are on the same moral ground with, say, the automotive
engineers and management who manufactured and sold the exploding
Pintos of a few years back.  There is a conspiracy of silence
(acknowledged by those posters who "knew about the bug four years
ago") that we all participate in whenever we design, produce,
purchase, or install such systems without raising the issue of
security.  

Project Athena (among others) has shown that order-of-magnitude
improvements in security are possible without terrible penalties in
performance or usability, but is anyone listening?  I hope people will
keep the implications of the virus attack in mind as they go about
their daily technological work.  A patch to sendmail, putting Mr.
Morris in jail, or saying the Pledge of Allegiance each morning, are
not the answer.

 - RL "Bob" Morgan
   Networking Systems
   Stanford