Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!mailrus!eecae!cps3xx!rang From: rang@cpsin3.cps.msu.edu (Anton Rang) Newsgroups: news.sysadmin Subject: The virus (worm, whatever) -- long Keywords: npr, discussion, security, source, users Message-ID: <1050@cps3xx.UUCP> Date: 11 Nov 88 05:20:24 GMT Sender: usenet@cps3xx.UUCP Reply-To: rang@cpswh.cps.msu.edu (Anton Rang) Organization: Michigan State University, Computer Science Dept. Lines: 53 Disclaimer: These are MY opinions only. To get things started with a fairly non-controversial topic...did anyone else hear the piece All Things Considered ran Thursday on the virus? Pretty well done, I thought--especially the "voice of the virus". I noticed they interviewed Gene Spafford, too (BTW, thanks for all the work you did in this!). Now, on to other things. I'm going to try and straddle the line here a bit. There isn't much question in my mind that the worm was a bad thing: it "wasted" a lot of CPU time (in academia, industry, and government), and more importantly a lot of people's time. On the other hand, I think it has had some good side effects too. For one thing, there is a lot more PUBLIC discussion of security going on. As a new UNIX system manager (under 2 years), I knew that UNIX had some fundamental security problems. I believed that by restricting things like /etc/hosts.equiv, /.rhosts, and by carefully shutting down access to files (i.e. /etc/init probably shouldn't be mode 755) the system would be "reasonably" secure, for an academic environment at least--in other words, after a security breach, I could pretty much backtrack and find out who it was (or at least what they did). Well, I was wrong. Working on Sun systems, I do not have access to source for most of the programs on the system. More importantly, perhaps, as a graduate student I don't have the TIME to go through the source and look for security holes. Yet there are people out there who know about them yet don't tell anyone, or tell only a fairly restricted group of people. That doesn't help me. A lot of the blame has to be put on the vendors, too. Even though most of DEC's security work is with VMS, they did at least send out sendmail without the debug mode. A lot of vendors just sent out the compiled code, with debug or you-name-it still in it! These vendors should be shaking in their boots--I suspect a good argument could be made that there is an implied warranty on security, especially when the source is not distributed by them to customers, but is available to people who might try to break in (does this sound backward?). Well, this is getting long, so one more idea and I'll end. Maybe somebody (NIC? DoD?) should have a group in charge of tested Internet security. Nothing like releasing viruses etc. (if nothing else, the argument about "the boy who cried wolf" applies here). But maybe at least periodically checking hosts in the NIC database for the obvious, well-known problems. Somebody want to volunteer? One last note (this is it, really!). I think that this whole scare has been a benefit to a lot of USERS (as opposed to system managers). There is an attitude among many people of "It's in the computer, it must be safe". Even when backups are only done once a month. Even when potentially sensitive information is there. Maybe now some users will pressure their admins more about security. And that's probably good. Enough. +---------------------------+------------------------+----------------------+ | Anton Rang (grad student) | "UNIX: Just Say No!" | "Do worry...be SAD!" | | Michigan State University | rang@cpswh.cps.msu.edu | | +---------------------------+------------------------+----------------------+