UNIX and viruses

[Mike Haertel]

In article <16655 at rpp386.Dallas.TX.US> jfh at rpp386.cactus.org (John F. Haugh II) writes:
>It ends with some very sound advice - eventually a secure OS comes
>down to trusting the people who wrote the code.  I don't think GNU
>will ever produce a trusted OS for exactly this reason - who is
>going to trust people such as Stallman who believes security is
>something big companies use to steal from the average Joe?

You do Richard a great disservice in this assumption.  It is doubtful that
he will want to do anything beyond traditional UNIX protection mechanisms
in GNU.  However, if he were to announce that he intended to, say,
produce a secure system, I would have a great deal more faith in him
than I would have in software companies.

Who is going to trust big companies, which are interested in getting a
product to market sooner than the competition?  Who is going to trust
big companies, that are likely to keep problems secret to avoid
marketing losses, rather than making fixes available in a timely and
public fashion?  Who is going to trust organizations like the NSA, who
just *might* want to see people using systems with holes that only they
know about?  Remember the DES controversy.

The only system you can trust is the one you design, build, and program
yourself, from the chips on up.  (And then only if you really know what
you are doing--there are many nonobvious traps for the unwary--just look
at all the dumb done by authors of setuid programs in UNIX.)

Incidentally, does anyone know if Ken Thompson's proposed compiler
hack was ever implemented?
-- 
Mike Haertel <mike at stolaf.edu>
``There's nothing remarkable about it.  All one has to do is hit the right
  keys at the right time and the instrument plays itself.'' -- J. S. Bach