Re: rtm and uucp


Brad Turner (oliveb!3comvax!bridge2!mbt@ames.arc.nasa.gov)
14 Nov 88 17:26:29 GMT


In article <In article <1777@ndsuvax.UUCP> In article <1777@ndsuvax.UUCP> ncoverby@ndsuvax.UUCP (Glen Overby) writes:
>
>In article <8597@rpp386.Dallas.TX.US> jfh@rpp386.Dallas.TX.US
> (John F. Haugh II) writes:
>>It would be so nice if someone would undertake a security audit to
>>insure that work other college students did, which *is* currently
>>in production, doesn't contain any surprizes.
>
>This security audit should go for any software posted to the net or
>otherwise available (anon uucp, anon FTP, etc), as well as on a per-vendor
>basis (who's to say that ABC computer maker didn't botch something in their
>port?).
>
>Glen Overby
>ncoverby@plains.nodak.edu uunet!ndsuvax!ncoverby
>>ncoverby@ndsuvax (Bitnet)

(out of context of course and maybe not 100% exact)
Frank Burns: I wouldn't be so paranoid if everybody wasn't watching me

Let's all put on our paronia pants and do the little "somebody is out to
to get me" dance!

I'm not suggesting that security should be ignored, or that code should
never be looked at after the first successful compile. It's just that I
hate to see everybody join a posse/lynch mob because of ONE (not several,
ONE) incident. So....

Face it unless you are willing to personally inspect every piece of source
for every executable that's on your machine you're potentially compromising
the security of your system. It's no good to "audit" the code, because how
to you know the auditors can be trusted? Couldn't one dishonest auditor do
more harm then than anybody else. Think about it, one central group in
charge declaring what is and is not fit. A single point of failure!

What it comes down to is the fact that systems these days are far to
complicated for a single person to deal with. You have to trust your
fellow human being at some point in time, otherwise everybody will be
doomed to re-inventing the wheel. Do you personally have the time and expertise
to code a boot load PROM? Then go from there to a monitor program to an
assembley to a compiler to....vmunix...>rest-of-unix<....ad nausem. Then
if you really want to get paranoid, how about the hardware? You're going
to have to design your own CPU, mask it yourself, produce it yourself.
Don't forget the glue logic, make your own 74xxx chips, resistors, caps
etc... Where does it stop???? I give up lets disband society and all go
live in woods where only the wildlife can get ya'.

While I'm on my soapbox (and guilty)...Is it possible that we (the computing
community) have wasted more time discussing/arguing about the worm than
we spent discovering/disecting/erradicating/patching? My personal view
I that the gossip fence has gotten overcrowded and we need to let the
issue die and quit wasting net bandwidth rehashing every different
flavor of the same argument/issue.

Thanks for your time, have an OK day, and DON'T post a followup.

-brad-

--
v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v
Brad Turner	1330 Ashleybrook Ln.	(919) 768-2097	| I speak for myself
3Com Corp.	Winston-Salem, NC 27103	3Com Corp.	Winston-Salem, NC 27103	mbt@bridge2	| NOT for my employer.



This archive was generated by hypermail 2.0b3 on Thu Mar 09 2000 - 14:44:30 GMT