Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!rutgers!cmcl2!adm!smoke!gwyn From: gwyn@smoke.BRL.MIL (Doug Gwyn ) Newsgroups: comp.unix.wizards Subject: Re: Virus Attack! Message-ID: <8867@smoke.BRL.MIL> Date: 12 Nov 88 05:42:30 GMT References: <35900005@webb> Reply-To: gwyn@brl.arpa (Doug Gwyn (VLD/VMB) ) Organization: Ballistic Research Lab (BRL), APG, MD. Lines: 30 In article <35900005@webb> webb@webb.applicon.UUCP writes: >Though this situation will certainly be only temporary, I wonder if this marks >the beginning of the end of the vast, loose networks that are so prevalent >today. With no way to assign blame or responsiblity to the pranksters who >build these viruses, I would be suprised if some companies thought twice >before agreeing to connect to a network, considering the potential risk. You're never going to attain ABSOLUTE security on ANY computer system, even isolated ones in Faraday cages with armed security guards controlling access. What you actually can attain is some probability that your system's mission functions can be performed without outside disruption, or without leaking proprietary information, or whatever your security criteria are. If this probability is high enough, then your security is good enough despite the fact that it cannot be perfect. You have to balance the improved security confidence level you would obtain by disconnecting from the net against the loss of value such a disconnect would entail. That is the only way you can make a rational evaluation of the advisability of yanking the plug. The problem with the Internet is that there are too many unchecked possibilities for security holes to assign a really high probability against unwanted interference. The level can be substantially raised, for example by careful protocol and server code reviews, and it appears to me that this should be done -- with proper coordination! My experience has been that even at a fairly security-conscious organization, the biggest security flaws are not weaknesses in networking software but are rather local "people problems". That is not to say that we shouldn't strive to improve BOTH.