Path: utzoo!attcan!lsuc!ecicrl!clewis From: clewis@ecicrl.UUCP (Chris Lewis) Newsgroups: news.sysadmin Subject: Re: Virus: I blame the vendors Message-ID: <150@ecicrl.UUCP> Date: 22 Nov 88 03:01:45 GMT References: <563@husc6.harvard.edu> <13139@ncoast.UUCP> Reply-To: clewis@ecicrl.UUCP (Chris Lewis) Organization: Elegant Communications Inc. (CRL Division) Lines: 47 In article <13139@ncoast.UUCP> allbery@ncoast.UUCP (Brandon S. Allbery) writes: >As quoted from <563@husc6.harvard.edu> by reiter@endor.harvard.edu (Ehud Reiter): >| I think the vendors bear the lion's share of guilt in this affair. >| Why the hell didn't Sun and friends fix these security holes ages ago? >PEOPLE ARE IGNORANT ABOUT COMPUTERS. PEOPLE DON'T WANT SECURITY. PEOPLE >WANT TO LOAD THEIR APPLICATIONS INTO THEIR COMPUTERS AND TRUST THAT GOD WILL >KEEP THE CRACKERS OUT. AND THERE HAVE BEEN CASES WHEN A COMPANY WILL REFUSE >TO BUY A PARTICULAR COMPUTER BECAUSE IT COMES WITH SECURITY ENFORCEMENT. [rest of diatribe deleted...] Here here! One of our main lines of business is picking up the pieces after various salesdroids (usually high priced "consultants" or sellers of packaged basic software) have totally trashed some poor customer's machine. Security? Hah! EVERY silly little basic mailing list program simply *has* to run root. No userids, *everybody* runs root. And, of course, every basic program simply *has* to have the printer directly - no spoolers for them. What do you mean something else wants to use the printer? Closing files? No that's too difficult. If a terminal hangs? Simple, push reset on the computer! "What do you mean that might damage it? It didn't the 6 times I did today! I've programmed in basic on Wang 2200's for 10 years, don't tell *me* how UNIX computers work". Sigh. We're not letting *any* of our customers hook up modems until we've unravelled the mess their consultants have made... No, the majority of machines on the net aren't anywhere near as bad as that. Thank god. But, take heed about the security issues being raised in this newsgroup! Sure, some vendors have made somewhat silly decisions or let things slip. However, maintaining the amount of software in a typical UNIX release is an awesome task (considering the sheer quantity of software involved). Frankly, the biggest cause of holes is sloppy or inept SA's, inadequate documentation or training (does *your* company make sure that everybody has the right manuals or training?) and insufficient commitment to administration by the system's owners. -- Chris Lewis, Markham, Ontario, Canada {uunet!attcan,utgpu,yunexus,utzoo}!lsuc!ecicrl!clewis Ferret Mailing list: ...!lsuc!gate!eci386!ferret-request (or lsuc!gate!eci386!clewis or lsuc!clewis)