Path: utzoo!attcan!uunet!apctrc!cra2!zjat02 From: zjat02@cra2.uucp (Jon A. Tankersley) Newsgroups: comp.unix.wizards Subject: Re: Implications of recent virus (Trojan Horse) attack Message-ID: <626@apctrc.UUCP> Date: 14 Nov 88 23:43:23 GMT References: <1698@cadre.dsl.PITTSBURGH.EDU> <2151@ficc.uu.net> <8845@smoke.BRL.MIL> <8562@rpp386.Dallas.TX.US> Sender: news@apctrc.UUCP Reply-To: zjat02@apctrc.UUCP (Jon A. Tankersley) Distribution: na Organization: Amoco Production Company, Tulsa Research Center Lines: 44 I've read too much not to comment..... The question is not actually 'can you trust any university student', but 'can you trust any person'. The answer is yes and no. Short of getting some crack programmers together and brainwashing them. But even then it would be difficult, they could turn on you. Anybody is culpable. Anyone can be 'broken'. Maturity has nothing that makes it more reliable. There are/were some University students that I can/would trust to write clean code. This is because of the 'more than cursory' knowledge of the people in question. After working with them for 4 years, I knew what their morals and ideals were. I also knew the other type, that you couldn't trust to give you the correct time. But, even these people I could trust could/can be broken and subverted. And that is not a crime. That is human nature. Given the correct type of hard choices, anyone can be subverted. But this doesn't deal with the issue. Ethics is something learned from day 1. Education on ethics points out some of the problems when dealing with ethics, but it doesn't teach ethics. Scruples are learned also. Beyond the ancient form of measure, there is no education for scruples. But it also takes discipline. Discipline to document what is really going on. Discipline to get it done the right/correct/best way. Discipline to not be seduced by 'creeping featurism' (a seduction/subversion listed above). There will always be bugs and loopholes. Security is not a passive function. But it is often treated that way. Fix it when something slips. Active Even I am 'guilty' of letting security lapse, partially due to ignorance and partially due to lack of time to devote security auditing. Even with all of the C1-B2 auditing going on, it is still an active job. If nobody ever looks at the logs..... then there is no security. The biggest result of the 'Attack of the Hungry Worm' will be a clamping down on the ease of use of networking. New 'conveniences' will be developed with new 'features' that will present new 'loopholes' in the never ending seesaw battle between 'good and evil' (convenience and security). Sigh... Back to work. Standard disclaimers, etc, etc, etc. and to be redundant etc. -tank- #include /* nobody knows the trouble I .... */