X-Message-Index: 159
X-Message-Prev: 116
X-Message-Next: 157
X-Thread-Prev: 100
X-Thread-Next: 209
From: encore!pinocchio!bzs@talcott.harvard.edu (Barry Shein)
To: phage
X-To: piet@cwi.nl, phage
Subject: ftpd
Date: Mon, 7 Nov 88 14:39:42 est
X-Date: Mon 14:39:42 07/11/1988 EST


>Barry, I trust you; all others on this list will too,
>I presume. But potentially there's a danger, especially
>under the current circumstances: suppose someone puts a
>"virused" ftpd (or whatever) binary on some machine, then
>sends out a mail, forging it such that it seems to come
>from you. Guess what will happen...

I agree with your concern and am trying to come up with an alternative
(we will be distributing "official" fixes thru normal channels but of
course that takes more than the hour which this took.)

So, everything is a trade-off, is the chance that someone will manage
to break into our system and install a virus in that code greater than
the risk of leaving sites naked to that particular bug for even a few
days? (I realize they can shut off anonymous ftp but that's not that
attractive to everyone either.)

I don't think so, sometimes one has to make a decision.

There's also a difference, I hope, between the machine "encore.com"
and "some machine...". Heck, there's nothing we can do if someone does
what you describe, put up a virus somewhere and claim it to be an
official fix, that's like prying chewing gum off the lunchcounter...

	-Barry Shein, ||Encore||