Path: utzoo!attcan!uunet!n3dmc!johnl From: johnl@n3dmc.UU.NET (John Limpert) Newsgroups: news.sysadmin Subject: Re: The worm's real purpose Message-ID: <436@n3dmc.UU.NET> Date: 10 Nov 88 02:52:17 GMT References: <16496@agate.BERKELEY.EDU> <2210004@acf3.NYU.EDU> Reply-To: johnl@n3dmc.UUCP (John Limpert) Organization: N3DMC, Silver Spring, Maryland Lines: 32 In article <2210004@acf3.NYU.EDU> rosenblg@acf3.NYU.EDU (Gary J. Rosenblum) writes: >Do you also belive then that you can point out a bank's security >problems by going in and robbing it? Yes, there are quite a few >security holes in Unix, and they need to be fixed. But is effectively >crippling the work of a great number of people all across the >world (mostly US) the best way to point out these problems? I'm sorry to say that this may have been the only way of getting the bugs fixed. As a UNIX user and the administrator of several small machines, I am continually frustrated by the indifferent attitude of UNIX vendors, management and average users towards security. UNIX distribution kits are routinely delivered with gaping security holes in file and directory permissions and security bugs that never get fixed. I try to fix the obvious problems, but most vendors and users just yawn when you point out a problem. Management never seems to consider security when purchasing software and systems, they just want something fast, reliable and cheap. Several people asked me about the vulnerability of our systems after the virus was publicized and the local segment of the internet was disconnected and isolated. The virus got their attention. Security costs money, but lack of security may cost more in the long run. I have given up on vendors, they will not do anything if the customer doesn't push the issue. I would like to see the government and major corporations develop and enforce security standards on systems that they purchase. People with source licenses can fix their problems if they are aware of the problem and have the expertise to fix it. Unfortunately, I and many other people have to deal with binary distributions that aren't supported after the vendor introduces a new product line. -- John A. Limpert UUCP: johnl@n3dmc.UUCP, johnl@n3dmc.UU.NET, uunet!n3dmc!johnl