> On Fri, 8 Sep 1995, Dr. Delete Ph.D. wrote:
>
> > I'm waiting for crash-portmaster-worm.c to show up on Internet...
> >
> > It'd be quite trivial to code.
>
> Quite.
>
> > Almost as trivial as it is to FIX this problem..
> >
> > Just use packet filters, people :-) sheesh..
>
> Of course, we all realize that is not the *real* fix for the *real*
> problem, but it is a band-aid for now, and works.
The fact of the matter really is that "BUGS HAPPEN"!
If ANYONE is concerned about security, they should be using tools to help
them implement a "LEAST PRIVILEGE" environment. PACKET FILTERS,
WRAPPERS, chrooted processes, proxies, 'chflags' files, all help in the
fight. What you dont want to have is a arms race by which you hear about
something like this bug and then you have to go and close it up.
Basically, by the time you hear about the problem, it is too late.
If you admin these things from just a few machines, by all means make
sure it is only those machien that can make the connection. In fact, if
any other IPs try and make the connection, I hope someones pager will
start to ring. :-)
--blast