Path: utzoo!attcan!uunet!husc6!bbn!rochester!kodak!gizzmo!lazlo!ccs
From: ccs@lazlo.UUCP (Clifford C. Skolnick)
Newsgroups: comp.unix.wizards
Subject: Re: rtm and uucp
Summary: College student does not mean criminal
Message-ID: <90@lazlo.UUCP>
Date: 14 Nov 88 06:16:16 GMT
References: <8409@alice.UUCP> <8597@rpp386.Dallas.TX.US>
Organization: The Steam Tunnel, Henrietta, NY
Lines: 33

In article <8597@rpp386.Dallas.TX.US> jfh@rpp386.Dallas.TX.US (John F. Haugh II) writes:
>
>It would be so nice if someone would undertake a security audit to
>insure that work other college students did, which *is* currently
>in production, doesn't contain any surprizes.

What evidence do you have that college students are evil programmers
whos code should be verified?  It does not take a college student to place
a section of unathorized code into a program.  I'm sure many programs out
in the real word have similar features added by a programmer and abused
by another (as this case was).

I would much rather you have requested an audit on *all* code written
by *any* programmer.  No one person should ever be trusted so much to not
validate code that person had written.  This is especially true for any
program that runs set-uid to root.

Would you install a set-uid root program off the net without taking a
real carefull look at the code?  So why did all those source sites not
pick up on this problem long ago?  If they did notice it, they kept their
mouths shut.  That is just as wrong as the author of sendmail who
supposidly added that code to avoid restrictive management policies.

>Our friendly enchilada may not be the only prankster out there ...

I take offence at your attack on college students.  I am a college student
and have never deliberatly comprimised the security of any code I have
written or worked on.
-- 
Clifford C. Skolnick    |  "You told me time makes it easy, then you never told
Phone: (716) 427-8046   |   me time stands still" - Gary Neuman
TCP/IP: 44.68.0.195     | ...!rutgers!rochester!ritcv!ritcsh!sabin! lazlo!ccs
ccs@lazlo.n1dph.ampr.org|                      \!kodak!pcid!gizzmo!/