Re: Morris bashers...


NASA ARC NSI Project Office (medin@nsipo.nasa.gov)
Mon, 14 Nov 88 10:05:29 -0800


Well, let me throw in my opinion here. With regards to the bugs
used by the virus, I, nor any of my friends at UCB knew about
them. I don't believe anyone in the CSRG at UCB knew about them.
If we had, one of us would have seen to it that it would have been
fixed. Just look at the number of security related patches that
UCB has put out on comp.bugs.ucb-fixes in the past year. People
are serious about fixing bugs in 4.3, but UCB, and I doubt
anyone else are out there, are auditing code.

The CSRG releases a RESEARCH operating system called Berkeley
Unix. It happens to be a very useful release, and many people
use it, but it is not a product. There is no software
warranty, and it's fairly cheap. So I don't have problems with
the CSRG about these bugs; they only do best effort work, and
they really don't even need to do that. Where I do find a LOT
of problems is what the vendor community is doing here. SUN and
DEC produce 'products' out of Berkeley Unix. They charge real
money for these products. Yet Sun for example had a serious
security bug in one of the network utilities that they knew
about for a year (I have the bug report number), and didn't
issue a patch at all, but waited for 4.0 to fix the problem.
This is ridiculous. DEC is just as bad. It's the vendors
who have the responsibility for auditing the code they release.
Go scream at SUN for not finding the bug, not at Berkeley.

Further, you will always get less buggy code from the CSRG
than the vendor community. Why is that? The vendor
community normally tracks 4.3 pretty well, though lags
by an inordinate period of time often enough. If SUN or DEC
finds a bug, they usually tell CSRG about it and
fix it. CSRG then fixes it internally, and if appropriate,
shortly afterwards releases a bug fix over the network. They
also get bug reports from others as well. So CSRG typically
fixes bugs quickly. SUN and DEC and company don't usually
issue patches; they wait for the next rev. of OS release.
Further, often times the development people fix the bug in the
code they are using, not in what the 'software manufacturing'
group is distributing. So they need to retrofit the fix.
What it boils down to is that 4.3 has the fixes out soon
after they know about it. The vendors wait huge periods
of time unless some sort of crisis develops. You see the
recent postings about ftpd bug fixes to comp.bugs.ucb-fixes?
Have SUN or DEC released patches yet? Do you really think
that bug is only in 4.3? The first thing I do when bringing
up a SUN release (I'd do the same thing if I had Vaxstations
instead of SUNs) is throw away all the vendor distributed network
code and port the latest 4.3 utilities. They work better
in general and have fewer bugs (read security problems).
Also, this way I have source code, so when UCB issues a
bug fix, I can fix it in 5 minutes, as opposed to feverishly
beating on my vendor to give me a binary patch that
probably hasn't even been produced in the company yet.
Folks, for security reasons alone, insist on source code!

Mike Padilipsky has a chapter in his book "Elements of Networking
Style" called "The Myth of Vendor Support". It's good reading.
Anyone from SUN or DEC want to throw rocks at what I've said?
I'd love to be proven wrong!

Now, about Morris. Firstly, we don't know if he's responsible
for this thing. Unless someone has seen a confession, we really
don't know if he's the one yet. He may well be, but it's
not absolutely clear yet. But if he is the guy, then the FBI
MUST be able to sucessfully argue a felony case against him
and lock him up. It makes no difference what his intentions
were or are. If he did it, he needs to be made an example of.
People playing around occaisionally and attempting to crack
a system out of a sense of novelty is one thing, but something
as large and as well publicized as this virus requires action.
The Internet operates fairly freely, but always has this notion
of a heavy weight somewhere above that can drop on troublemakers
and squash them out of existance. Otherwise what happens is
that you get a bunch of urchins attacking things all over
the place, and then you have to start restricting the
openess of the network, and thereby lessening it's utility.
So, when people cause this much trouble, they need to be
vigorously prosecuted. Fortunately, I believe the laws here
don't require proof of malice, only proof of damage. And
I'm sure that the various government agencies involved
spent a pile of money (in terms of people's time) to squash
this thing, so that shouldn't be hard to prove.

Some people are saying that since the virus wasn't intentionally
harmful, that all this fuss is really no big deal, and it should
be fixed, but is not that big of a deal. As a person who
was fighting it fairly early on, I'd have to say that we didn't
know it wasn't harmful until we saw the decompiled code a few
days later. When we were trying to purge our systems of
the thing, we had to assume worst case and that the thing
was harmful. We had no reason to assume it wasn't. So we
put in a lot of work to squash it. It was the prudent thing
to do.

And lastly, let's not forget this was a computer problem, not
a network problem. Sure the network facilited it's travel,
but not all computers on the net were affected. As my boss
at NASA HQ said, you don't shut down the Interstate highway
system just because some burgler traveled a freeway on the
way to robbing someone's house. You beef up security at
the house, not close all the off-ramps. If you are concerned
about security, make sure your systems are well administered
and managed. That's the best thing you can do to avoid problems.

                                        Thanks,
                                           Milo

PS All the usual disclaimers about this not being the opinion
of the US Government, Sterling Software, etc... apply here
of course...



This archive was generated by hypermail 2.0b3 on Thu Mar 09 2000 - 14:44:30 GMT