The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #159 [ftpd] (1 message, 880 bytes)
SOURCE: http://securitydigest.org/exec/display?f=phage/archive/159.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT

From: encore!pinocchio!bzs@talcott.harvard.edu (Barry Shein)
To: phage
Date: Mon 14:39:42 07/11/1988 EST
Subject: ftpd
References: [Thread Prev: 100] [Thread Next: 209] [Message Prev: 116] [Message Next: 157]


>Barry, I trust you; all others on this list will too,
>I presume. But potentially there's a danger, especially
>under the current circumstances: suppose someone puts a
>"virused" ftpd (or whatever) binary on some machine, then
>sends out a mail, forging it such that it seems to come
>from you. Guess what will happen...

I agree with your concern and am trying to come up with an alternative
(we will be distributing "official" fixes thru normal channels but of
course that takes more than the hour which this took.)

So, everything is a trade-off, is the chance that someone will manage
to break into our system and install a virus in that code greater than
the risk of leaving sites naked to that particular bug for even a few
days? (I realize they can shut off anonymous ftp but that's not that
attractive to everyone either.)

I don't think so, sometimes one has to make a decision.

There's also a difference, I hope, between the machine "encore.com"
and "some machine...". Heck, there's nothing we can do if someone does
what you describe, put up a virus somewhere and claim it to be an
official fix, that's like prying chewing gum off the lunchcounter...

	-Barry Shein, ||Encore||

END OF DOCUMENT