Path: utzoo!utgpu!attcan!uunet!husc6!tut.cis.ohio-state.edu!triceratops.cis.ohio-state.edu!karl From: karl@triceratops.cis.ohio-state.edu (Karl Kleinpaste) Newsgroups: news.sysadmin Subject: Re: Possible Fines for Virus Perpetrator Message-ID: <27203@tut.cis.ohio-state.edu> Date: 10 Nov 88 18:38:43 GMT References: <456@l5comp.UUCP> <12081@dscatl.UUCP> <16600@agate.BERKELEY.EDU> <2279@looking.UUCP> Sender: news@tut.cis.ohio-state.edu Distribution: na Lines: 56 In-reply-to: brad@looking.UUCP's message of 8 Nov 88 07:28:35 GMT brad@looking.UUCP (Brad Templeton) writes: This is why I said the virus was a good thing. If this bug had simply been reported, what would have taken place? Lots of good things, that's what. o Attempts would be made to make sure the information was never broadcast. No. o People would try to send the fix out to various sysadmins, half of whom would not fix it because they're lazy, and 1/4 of whom would not fix it because sysadmins are the only ones to know about it. No again. o The fix would go in the next release, and after a few years, most people will have upgraded, except perhaps their server machines which run just fine and don't need the extensive work of an upgrade. No a third time. Now everybody has worked to plug it, and plug it fast. I submit as an example, yet again, the recent discovery of a security hole in ftpd. In juxtaposition against your 3 suggestions above: o The information was broadcast, "quietly," to a LOT of people who had the wherewithall to do something about it. o There were fixes available FAST. I learned of the mess less than 6 hours after first report. I had a sample fix less than 30 minutes after that. And that was at 11:30pm on a Saturday night! I eventually got 2 more fixes, unsolicited, from other friends around the Internet. Everyone I knew was installing it as fast as they could get their shell to exec /bin/make. o The fix was made public via a posting in ...ucb-fixes so that everyone with a C compiler can upgrade NOW and not wait for slow-as-molasses vendors to decide that it's worth getting around to. And I think it's important to note that not all vendors are slow-as-molasses, either; I sent a copy of what I initially received to Pyramid and had the attention of csg@pyramid FAST - they began a distribution of their fix within (I think) 2 days. Consider that the ftpd bug was initially reported over the weekend when X11R3 was released. Did everyone notice lots of anon ftp sites announcing that they were down/ftp-disabled for a while until they could close down a `small security problem?' Yeah, I thought you noticed expo.lcs.mit.edu disappearing for a while, not to mention . We had to do so, mentioning it in gnu.something. The system works when given a decent chance to try to work.