Internet Virus: SunOS patches

David F. Carlson dave at micropen
Tue Nov 15 02:48:10 AEST 1988


In article <447 at auspex.UUCP>, guy at auspex.UUCP (Guy Harris) writes:
> >> You can argue, probably justifiably, that they [Sun] should either have turned
> >> DEBUG off when building it, or at least made debug mode not have the
> >> side-effect of allowing addresses other than user names in RCPT lines,
> >> but you can also argue that Berkeley should have done that as well.... 
> >
> >  I have not seen Berkeley advertising the suitability of their work for end-
> >  user or commercial applications.  Sun's does daily.
> 
> original poster was asserting that Sun and Mt. Xinu had done precisely
> that, which was simply not true.)

Whether this DEBUG mode is a sin of commission or omission is not terribly
relavant.  My original point was that even as a binary only System V licensee,
I was aware of this "problem" in BSD 4.2.  My point was that there should be
some responsibility of vendors to their customers that includes being aware
of the several classic security issues and attempting to remedy or at very
least to disclaim the problem to affected site administrators.  Simply typing
"make vmunix" and arguing whether the flag is default on or default off evades
the real issue which is:  why are responsible vendors issuing, as their own,
software with large KNOWN problems in security and not disclaiming this
to their customers.

Another question is why was the department of defense security staff blissfully
unaware of this problem by continuing to approve purchases and the use of
machines from vendors with this problem?  Like Reagan and arms purchases:
is it "better" that he knew about it or that he knew nothing about it.
Is it "better" that the security advisors to the ARPA-net didn't know about
this "problem."  Or did they know about it, ignored it and then didn't tell 
anyone on the MILNET that ordered these systems that they were highly insecure 
to this type of attack.  Neither of these scenarios is very pleasant to my 
taste.

-- 
David F. Carlson, Micropen, Inc.
micropen!dave at ee.rochester.edu

"The faster I go, the behinder I get." --Lewis Carroll



More information about the Comp.unix.wizards mailing list