Path: utzoo!attcan!uunet!munnari!bruce!monu1!vaxc!johnm
From: johnm@vaxc.cc.monash.edu.au (John Mann)
Newsgroups: comp.protocols.tcp-ip
Subject: Re: Worms and fixing blame
Message-ID: <964@vaxc.cc.monash.edu.au>
Date: 22 Nov 88 02:02:26 GMT
References: <8811100539.AA27545@ACC-SB-UNIX.ARPA>
Organization: Computer Centre, Monash University, Australia
Lines: 38

In article <8811100539.AA27545@ACC-SB-UNIX.ARPA>, lars@ACC-SB-UNIX.ARPA 
(Lars J Poulsen) writes:
> As a minumum, everybody who buys system software should add the following
> clause to their purchase orders: "The system shall identify each user by
> a unique user identification, and password validation shall be used to
> ensure that no unauthorized access occurs". This will ensure that you can
> hold the vendor liable for losses you might incur in a situation like this.

Does this mean that everyone who wants to send mail to your machine has
to have their own usercode and password on that machine?

I guess this also means that the vendor has to disble the ".rhosts" facility
to prevent users from being able to open up their own security.
Are you going to disable other TCP/IP services like finger?  ARP?

I am not trying to put you down, just raise the question of what you really
mean by "authorized" and "access".  Does running a TCP/IP server of any
type automatically "authorize" everyone to "access" your system.  Does putting
your machine on Ethernet/modem connection "authorize" other people to send
packets to it/dial you phone number.

I presume someone will say that by "access", it really means people 
"Logging on" where they shouldn't.  But the worm didn't involve a person 
"Logging on" where they shouldn't.  

Didn't the worm invoke Telnet where it had guessed the password?  If it had
a valid username and password, it is by definition "authorized" isn't it?

> UCB, of course would likely refuse to accept this responsibility, thus
> making the problem with non-commercial software explicit.

I guess they could say that straight off the tape the netwoking doesn't work
(not configured etc.), and you don't *have* to turn the networking on. :-)

	John
--
John Mann, Systems Programmer, Computer Centre, Monash Uni. VIC 3168, Australia
Internet: JohnM@Vaxc.CC.Monash.Edu.Au   Phone: +61 3 565 4774