Path: utzoo!attcan!uunet!husc6!bloom-beacon!apple!bionet!agate!ucbvax! OKEEFFE.BERKELEY.EDU!bostic From: bos...@OKEEFFE.BERKELEY.EDU (Keith Bostic) Newsgroups: comp.protocols.tcp-ip Subject: UNIX security Message-ID: <8811211917.AA15361@okeeffe.Berkeley.EDU> Date: 21 Nov 88 19:17:29 GMT Sender: dae...@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 28 There are two points I would like to make regarding recent articles I've seen on tcp-ip, phage, comp.unix.whatever and several other mailing lists. The first concerns the widespread belief that "everybody" knew about the bugs used by the worm. This is not true. Rick Adams has been trying to contact "everybody" for about two weeks and he's come up emptyhanded. The number of people that knew about fingerd seems to be less than five, with a like number knowing about the sendmail debug problem. Counting whomever wrote the worm. Neither Sun nor UC Berkeley knew about the bug. My second concern is the equally widespread belief that UNIX isn't secure and that it cannot be made secure; this belief is typified by quotes along the lines of "I have known about the security holes in Unix for almost ten years" and "I've got lists of UNIX security problems you wouldn't believe." UNIX is neither more or less secure than any other general purpose operating system I'm aware of. It can be made as secure as you wish -- Gould, Sun, and AT&T, among others, have done interesting work in this area. Now, the lists of security problesm, the ten-year-old bug lists, and the fact that the tiger team from somewhere broke the su command in 1970-something, that's ancient history. UNIX is a fairly fast moving target, and we might as well get used to that. It's a feature, not a bug. Ten years ago we were running Version 7 on PDP 11/34's; I trust that most of the split I/D security issues have been addressed. Keith Bostic