Path: utzoo!utgpu!watmath!clyde!att!ucbvax!HOGG.CC.UOREGON.EDU!jqj
From: jqj@HOGG.CC.UOREGON.EDU
Newsgroups: comp.protocols.tcp-ip
Subject: Re: a holiday gift from Robert "wormer" Morris
Message-ID: <8811092222.AA03707@hogg.cc.uoregon.edu>
Date: 9 Nov 88 22:22:43 GMT
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The Internet
Lines: 33


	Date: 7 Nov 88 20:06:23 GMT
	From: dre@sun.com
	Subject: Re: a holiday gift from Robert "wormer" Morris
	To: tcp-ip@sri-nic.arpa
	Message-Id: <76424@sun.uucp>

	I knew about this sendmail bug at least four years ago,
	courtesy of Matt Bishop (now at Dartmouth).  He wrote a paper
	detailing at least a half dozen holes in the Unix system and
	methods for constructing trojan horses which was so dangerous
	that he responsibly decided not to publish it, but instead to
	give selected copies to people who could fix some of the
	problems.

This raises another interesting question:  what is the responsibility
of the major Unix vendors vis. such network security problems?  If
these security holes have in fact been known by people in SUN and DEC
(not to mention Berkeley) for years, why weren't they fixed?

I believe that the ONLY way we are going to see most of these Unix
security problems resolved is to beat on the vendors to fix them in
their next releases.  We are being totally irresponsible if we use
the Unix from vendor X, know about a major security hole in X's Unix,
and don't SPR it.  X is being totally irresponsible if they don't
fix problems SPRed, and quite irresponsible not to be fixing problems
that are "common knowledge".

A test:  will the next releases of SunOS and Ultrix include
   -	a sendmail without the "debug" bug
   -	a fixed fingerd
   -	a fixed ftpd
   	...etc.?