Path: utzoo!attcan!uunet!convex!killer!osu-cis!tut.cis.ohio-state.edu!mailrus!ames!pasteur!ucbvax!pinocchio.UUCP!bzs From: bzs@pinocchio.UUCP (Barry Shein) Newsgroups: comp.protocols.tcp-ip Subject: Worms and fixing blame Message-ID: <8811171631.AA08189@pinocchio.UUCP> Date: 17 Nov 88 16:31:17 GMT References: <8811100539.AA27545@ACC-SB-UNIX.ARPA> Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 48 From: lars@ACC-SB-UNIX.ARPA (Lars J Poulsen) >As a minumum, everybody who buys system software should add the following >clause to their purchase orders: "The system shall identify each user by >a unique user identification, and password validation shall be used to >ensure that no unauthorized access occurs". This will ensure that you can >hold the vendor liable for losses you might incur in a situation like this. Does this make sense? Does sending mail without a password constitute "unauthorized access"? How about being able to transfer a file to a publicly writeable scratch area? How about if it fills that scratch area and cripples the system, or fills a mail spool causing mail to be lost? How about being able to finger someone? What if someone merely ties up networking bandwidth soas to cause you major nuisance? What if they merely dial-up your system with N modems and tie up every available dial-up you have? Are all those the vendor's fault? What if they eavesdrop on your packets going across an ethernet? etc etc. What exactly is "unauthorized access"? Whatever inconveniences you as an afterthought? I don't believe that this past problem would have been an issue under your proposal, the system certainly demands a password for login access. You're too vague, the bug exploited was that a particular mail message text could allow an "undesired" program to run (as opposed to many, permitted and necessary, "desired" programs regularly run on behalf of mail messages.) The problem is that user's security needs are widely varied. Oh, I agree that this past worm entry was an obvious botch, but let's talk in more general terms, at some point we all agree an error occurred but the important thing is to agree on intent. It's easy to say something like "reasonable security" in a contract or some other such mom and apple pie truism, but what does it mean? How can we determine if the contract has been breached? What are needed are reasonably detailed security requirements (the military certainly has these although I doubt they would correspond to most users.) A test suite would be very helpful which would reflect these needs. But that would require real work, and cost real money... Let's face it, one person's security requirement is another's damned nuisance. -Barry Shein, ||Encore||