Path: utzoo!attcan!uunet!husc6!bloom-beacon!apple!bionet!agate!ucbvax!
OKEEFFE.BERKELEY.EDU!bostic
From: bos...@OKEEFFE.BERKELEY.EDU (Keith Bostic)
Newsgroups: comp.protocols.tcp-ip
Subject: UNIX security
Message-ID: <8811211917.AA15361@okeeffe.Berkeley.EDU>
Date: 21 Nov 88 19:17:29 GMT
Sender: dae...@ucbvax.BERKELEY.EDU
Organization: The Internet
Lines: 28


There are two points I would like to make regarding recent articles I've
seen on tcp-ip, phage, comp.unix.whatever and several other mailing lists.

The first concerns the widespread belief that "everybody" knew about the
bugs used by the worm.  This is not true.  Rick Adams has been trying to
contact "everybody" for about two weeks and he's come up emptyhanded.  The
number of people that knew about fingerd seems to be less than five, with
a like number knowing about the sendmail debug problem.  Counting whomever
wrote the worm.  Neither Sun nor UC Berkeley knew about the bug.

My second concern is the equally widespread belief that UNIX isn't secure
and that it cannot be made secure; this belief is typified by quotes along
the lines of "I have known about the security holes in Unix for almost ten
years" and "I've got lists of UNIX security problems you wouldn't believe."

UNIX is neither more or less secure than any other general purpose operating
system I'm aware of.  It can be made as secure as you wish -- Gould, Sun,
and AT&T, among others, have done interesting work in this area.

Now, the lists of security problesm, the ten-year-old bug lists, and the fact
that the tiger team from somewhere broke the su command in 1970-something,
that's ancient history.  UNIX is a fairly fast moving target, and we might as
well get used to that.  It's a feature, not a bug.  Ten years ago we were
running Version 7 on PDP 11/34's; I trust that most of the split I/D security
issues have been addressed.

Keith Bostic