Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!mailrus!ncar!tank!nic.MR.NET!hal!ncoast!allbery From: allbery@ncoast.UUCP (Brandon S. Allbery) Newsgroups: news.sysadmin Subject: Re: Virus: I blame the vendors Message-ID: <13139@ncoast.UUCP> Date: 16 Nov 88 23:47:36 GMT References: <563@husc6.harvard.edu> Reply-To: allbery@ncoast.UUCP (Brandon S. Allbery) Followup-To: news.sysadmin Organization: Cleveland Public Access UN*X, Cleveland, Oh Lines: 108 As quoted from <563@husc6.harvard.edu> by reiter@endor.harvard.edu (Ehud Reiter): +--------------- | I think the vendors bear the lion's share of guilt in this affair. | Why the hell didn't Sun and friends fix these security holes ages ago? +--------------- I can answer this, perhaps not for Sun but in general. I've annoyed many a client with "Standard Security Speech #1", discussing the importance of not running all their programs from an unpassworded "root" login. And many of those clients have modems. I didn't realize just how bad the situation was until one of those clients argued back that they bought an ***** (name deleted to avoid advertising) system because a business associate had compained about 3B/2's not allowing "root" to log in on non-console terminals. Why was this so bad? "We don't want to have our users be restricted in what they can do." PEOPLE ARE IGNORANT ABOUT COMPUTERS. PEOPLE DON'T WANT SECURITY. PEOPLE WANT TO LOAD THEIR APPLICATIONS INTO THEIR COMPUTERS AND TRUST THAT GOD WILL KEEP THE CRACKERS OUT. AND THERE HAVE BEEN CASES WHEN A COMPANY WILL REFUSE TO BUY A PARTICULAR COMPUTER BECAUSE IT COMES WITH SECURITY ENFORCEMENT. The vendors have made mistakes, certainly. But their customers have a nasty tendency to consider these mistakes to be features. Common arguments used by these people when confronted with the flaws in their reasoning: "Nobody knows our computer's phone number." -- Demon-dialer programs are trivial, especially when used with smart modems that can recognize voice answers. "We don't have any information that anyone would want." -- Fine, so you don't have to worry about industrial espionage. But how about young Mr. Morris? Or the cracker gang that was broken by the FBI earlier this year, that operated in the Cleveland area? Much less interstate gangs, courtesy PC Pursuit. "It {won't,can't} happen to us." -- Needs no commentary. Ask any sysadmin on the Internet. Worse is that almost *every* small Un*x system out there has NO security, because the salesdroids that installed them and set them up didn't know about it. They have everyone run as unpassworded root. They load applications into /tmp, where any cracker can destroy the entire system with just ONE publicly-executable "rm". They don't say word one about backup procedures. And many of them don't give their customers the master disks to their software, so if their programs get blasted they're up sh*t creek without a paddle. That last paragraph is the worst part. We work primarily with resonably pure Xenix and Unix System V -- no sendmail, no fingerd, no ftpd, no susceptibility to the *current* worm. And capable of quite good security. But setting up security takes some work -- it always has, it always will -- and most salesdroids are too busy counting their commissions to consider doing that work. If they even know anything about security, which I would doubt after some of the things I've seen. The Morris worm is well on its way to becoming the kernel of my "Standard Security Speech #2". Maybe a few people will pay attention this time; one of *****'s failures is that systems ship with a "uucp" login enabled and security disabled even in HDB UUCP. All it'd take is a UUCP version of the Morris worm and a demon-dialer program to wreak havoc in these small systems. Vendors have some blame, but their oh-so-naively-trusting customers and oh-so-ignorant salesmen (or distributors' salesmen, who the vendors have no control over) have even more. Education is the answer here. It is a sad but true fact that only an actual invasion of their systems will get any response out of them; Matt Weiner is absolutely right about that. ---- Various people want to put ALL the blame on: - RJ Morris Jr - Vendors (mtXinu and Sun) - Internet sysadmins The simple fact of the matter is that all of them, and many others, are equally culpable. Something must be done about *all* of them, not just some person's pet enemy. The insensately enraged must accept that better security would make this kind of invasion much less likely; Weemba must accept that ethics will *also* make it less likely, not only because fewer people will be tempted to play with security holes but because people who've been trained to respect the computers they use will be more likely to report security holes *and do something about them* (and, not incidentally, that the only security which will effectively prevent all such breakins will also spell the end of the Brahms Gang, and the Internet, and the Usenet, and the Information Age); Ehud Reiter and people of similar mind must accept that vendors do what sells, *and* *security* *doesn't* *sell*; vendors must recognize that minimum standards MUST be insisted upon in their distributors/resellers/etc. to make sure that the security features they provide are used when they are needed. Wake up, indeed. Wake up, EVERYBODY; we've just received a warning of impending Doomsday. Stop pointing fingers at each other and DO SOMETHING ABOUT IT. [I just pushed every project I've got off the table. Next project: since I haven't seen one yet, I'm going to try to rework UUPC into a PD HDB clone. At least insofar as security features are concerned. G*d alone knows how many Xenix systems are wide open thanks to V7 UUCP...!] ++Brandon -- Brandon S. Allbery, comp.sources.misc moderator and one admin of ncoast PA UN*X uunet!hal.cwru.edu!ncoast!allbery ncoast!allbery@hal.cwru.edu allberyb@skybridge.sdi.cwru.edu allbery@uunet.uu.net comp.sources.misc is moving off ncoast -- please do NOT send submissions direct Send comp.sources.misc submissions to comp-sources-misc@.