Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!ncar!tank!shamash!nic.MR.NET!thor.acc.stolaf.edu!mike From: mike@thor.acc.stolaf.edu (Mike Haertel) Newsgroups: comp.unix.wizards Subject: Re: UNIX and viruses Message-ID: <2367@thor.acc.stolaf.edu> Date: 11 Jun 89 01:29:37 GMT References: <19930@adm.BRL.MIL> <4457@ficc.uu.net> <16655@rpp386.Dallas.TX.US> Reply-To: mike@stolaf.edu Organization: St. Olaf College, Northfield, MN Lines: 32 In article <16655@rpp386.Dallas.TX.US> jfh@rpp386.cactus.org (John F. Haugh II) writes: >It ends with some very sound advice - eventually a secure OS comes >down to trusting the people who wrote the code. I don't think GNU >will ever produce a trusted OS for exactly this reason - who is >going to trust people such as Stallman who believes security is >something big companies use to steal from the average Joe? You do Richard a great disservice in this assumption. It is doubtful that he will want to do anything beyond traditional UNIX protection mechanisms in GNU. However, if he were to announce that he intended to, say, produce a secure system, I would have a great deal more faith in him than I would have in software companies. Who is going to trust big companies, which are interested in getting a product to market sooner than the competition? Who is going to trust big companies, that are likely to keep problems secret to avoid marketing losses, rather than making fixes available in a timely and public fashion? Who is going to trust organizations like the NSA, who just *might* want to see people using systems with holes that only they know about? Remember the DES controversy. The only system you can trust is the one you design, build, and program yourself, from the chips on up. (And then only if you really know what you are doing--there are many nonobvious traps for the unwary--just look at all the dumb done by authors of setuid programs in UNIX.) Incidentally, does anyone know if Ken Thompson's proposed compiler hack was ever implemented? -- Mike Haertel ``There's nothing remarkable about it. All one has to do is hit the right keys at the right time and the instrument plays itself.'' -- J. S. Bach