Xref: utzoo news.admin:3992 news.sysadmin:1453
Path: utzoo!attcan!uunet!husc6!bloom-beacon!mcgill-vision!iros1!ouareau!goutier
From: goutier@ouareau.iro.umontreal.ca (Claude Goutier)
Newsgroups: news.admin,news.sysadmin
Subject: Some worms reflexions
Message-ID: <746@mannix.iros1.UUCP>
Date: 14 Nov 88 15:39:15 GMT
References: <361@itivax.UUCP> <367@execu.UUCP> <1294@tmpmbx.UUCP> <367@itivax.UUCP> <709@stylus.cme-durer.ARPA>
Sender: news@iros1.UUCP
Reply-To: goutier@iros1.UUCP (Claude Goutier)
Organization: Universite de Montreal
Lines: 42

In respect to the worm incident, remember that
Happyness doesn't rhyme with Sloppiness.
 
There could be much fun and challenge in tightening up
a system while keeping it friendly for the end user.

Releasing an official version of a program like SENDMAIL
with debugging options turned on (especially when those
are compromising the security of the system) seems to me
a lack of concern and responsability. Like the modeline 
in VI, this make me think of mild trojan horses casually
left over just in case it might prove helpfull in some
futur.

About the worm creator, I think he lacks of maturity and
responsabilty. I dont think that his purpose was to make
people think more seriously about security. He should have
known that showing a flaw is not enough to remove that
flaw (Have you heard of new releases of UNIX systems with
the sendmail option turned off yet for thoses sites which
received/payed for binary only?). When he realised that his
worm/baby went astray, did he help to repair his mischief?
 
As for programming, he was clever but missed his point since
the worm didn't went unnoticed, rather the contrary. Thus
a faulty program and an experiment that turned sour. This
do not qualify as brilliant. On a second thought, would you
hire such a programmer? Now think of the other smart good
guy which do not put his name in the front page of the 
newspapers but which nevertheless do a real contribution
to the field of computer science (think about Larry Wall,
Henry Spencer, Richard Stallman, etc. just a few names thrown
"pele-mele").
 
In conclusion, we should put more energy on closing up gaps
in our systems, than debating the mishap or virtue of the
people who illustrate the failures of our systems by absurdum.
To do otherwise is just a waste of resources and energy.
-- 
 Claude Goutier                   Centre de calcul, Universite de Montreal
                                  C.P. 6128, Succ "A",   Montreal (Quebec)
 goutier@iro.umontreal.ca         Canada     H3C 3J7        (514) 343-7234