Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!mailrus!ames!pasteur!ucbvax!ACC-SB-UNIX.ARPA!lars From: lars@ACC-SB-UNIX.ARPA (Lars J Poulsen) Newsgroups: comp.protocols.tcp-ip Subject: Re: Worms and fixing blame Message-ID: <8811100539.AA27545@ACC-SB-UNIX.ARPA> Date: 10 Nov 88 05:39:02 GMT Sender: usenet@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 64 > In article <2060@spdcc.COM>, eli@spdcc.COM (Steve Elias) writes: >> "Wormer" Morris has quite a career ahead of him, i'll bet. >> he has done us all a favor by benevolently bashing bsd 'security'. > Date: 7 Nov 88 20:06:23 GMT > From: ember!dre@sun.com (David Emberson) > Subject: Re: a holiday gift from Robert "wormer" Morris > > I knew about this sendmail bug at least four years ago, courtesy of Matt > Bishop (now at Dartmouth). He wrote a paper detailing at least a half dozen > holes in the Unix system and methods for constructing trojan horses which was > so dangerous that he responsibly decided not to publish it, but instead to > give selected copies to people who could fix some of the problems. > ... His behaviour, while unsung by the press and the Usenet community, > is an example of the highest in professional and academic standards. > This is the kind of behaviour that we should be extolling. I work as a customer service manager at a TCP-IP networking company. My wife is a corporate MIS person. She asked me about technical aspects of the worm, and expressed a wish to see severe criminal charges pressed against the perpetrator. IU asked her on what grounds since there apparently was no provable malicious intent and no "real damage". rather, I suggested, SUN Microsystems might be liable for releasing operating systems software with undocumenated functionality creating a security hole, and companies and/or government institutions that had chosen to run poorly documented software available "for free" from a research facility should accept responsibility for whatever befalls them if they do not review the software that they make themselves dependent on. I suggested as a parallel, that no company would be likely to install without test and review a payroll package found floating around on a computer bulletin board, and if they did, and the IRS sued they for improper calculation of withholdings, they would have only themselves to blame. I think she agreed. The DEBUG code apparently was intended for use internally in the sendmail development group, and should have been turned off at product release. It is sortof understandable that a university would not have a clear idea about quality control, and not have an independent review before release. It is much less acceptable that the same seems to have been the case at SUN. As far as I can ascertain, the ULTRIX engineering group was aware of the problem, and the Ultrix systems, on which I have looked, all seem to contain a sendmail compiled without DEBUG. If the claim mentioned above (that UCB's CSRG (sp?) was explicitly made aware of this problem several years ago) is true, it seems to me that a claim could be made that UCB was negligent in not instituting procedures to address this problem. David Emberson lauds Mr Bishop for being a responsible person who brought the problem to the attention of the people who were in a position to correct it, rather than creating a media event; but look how effective that was ???? As a minumum, everybody who buys system software should add the following clause to their purchase orders: "The system shall identify each user by a unique user identification, and password validation shall be used to ensure that no unauthorized access occurs". This will ensure that you can hold the vendor liable for losses you might incur in a situation like this. UCB, of course would likely refuse to accept this responsibility, thus making the problem with non-commercial software explicit. / Lars Poulsen Advanced Computer Communications (Employer name for identification only; my employer knows I have opinions but disclaims responsibility)