A *Big* Thank You
Steve C. Simmons
In the midst of all the frantic work to eradicate the worm and
innoculate ourselves against it in the future, let's not forget
a big Thanks to all the folks who moved so incredibly fast on
finding it, creating fixes, and distributing them with large
chunks of the net going to hell in a handbasket. We're in your
debt, folks.
Steve Simmons, Systems Support Mgr, ITI
(yes, I know most of that's in my .sig. I wanted it here as
an official thanks from ITI).
--
Steve Simmons ...!umix!itivax!scs
Industrial Technology Institute, Ann Arbor, MI.
"You can't get here from here."
Dewey Henize
>
>In the midst of all the frantic work to eradicate the worm and
>innoculate ourselves against it in the future, let's not forget
>a big Thanks to all the folks who moved so incredibly fast on
>finding it, creating fixes, and distributing them with large
>chunks of the net going to hell in a handbasket. We're in your
>debt, folks.
>
>Steve Simmons, Systems Support Mgr, ITI
I'd like to add my thanks as well. Although a UUCP site, we didn't have any
idea that that was a plus in safety. We DID know though that some really
good people were working on the problem and getting timely patches and
procedures distributed that our small organisation would have been completely
unable to produce ourselves. Because of these people not only finding out
what was going on but also informing us, we didn't have to draw back into
a turtle shell and depend on poor newscasts and (shudder) the local
imitation of a newspaper. Many thanks and lots of appreciation.
On the next area of consideration, who's gonna get hold of the bastard
that caused this and beat the shit out of him? Having a daddy that's a
supposedly high security muckety-much should, if anything, imply that the
[censored] should know a lot better... And its not like the law is gonna
do much, the isn't even a clear picture of what laws are broken by ruining
the days of hundreds or thousands of people..
What the hell, someone had to say that part. If you disagree, don't let
that stop you from thanking the GOOD folks.
Dewey Henize
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
| There is nothing in the above message that can't be explained by sunspots. |
| execu!dewey Dewey Henize |
| Can you say standard disclaimer? I knew you could. Somehow... |
John F. Haugh II
>I'd like to add my thanks as well. Although a UUCP site, we didn't have any
>idea that that was a plus in safety.
Here, here.
I wish to applaud Rick Adams for sending out messages to myself and Allen
Gwinn down here in Dallas letting us know something was afoot.
--
John F. Haugh II +----Make believe quote of the week----
VoiceNet: (214) 250-3311 Data: -6272 | Nancy Reagan on Richard Stallman:
InterNet: j...@rpp386.Dallas.TX.US | "Just say `Gno'"
UucpNet : <backbone>!killer!rpp386!jfh +--------------------------------------
Hans H. Huebner
>that caused this and beat the shit out of him? Having a daddy that's a
>supposedly high security muckety-much should, if anything, imply that the
>[censored] should know a lot better... And its not like the law is gonna
>do much, the isn't even a clear picture of what laws are broken by ruining
>the days of hundreds or thousands of people..
nasty bugs in widespread operating systems. He SURELY showed everyone that
computer systems are not secure, and that security IS a thing one has to be
aware of. Just imagine what would have happened if the worm/virus had
contained some nasty code to destroy files or the like. The sendmail bug
certainly gave the worm access rights to destroy mail and eventually other
vital system information.
I'd be careful in generally judging hackers as bad guys. Better think about
the possibilties bugs can give to your favoured opponent. Every hour spent
in the last week to get rid of the worm is a good investment in the security
of future software products.
Let's be happy that it is over, and that the Internet is now more secure.
Hans
--
Hans H. Huebner, netmbx | PSIMail: PSI%026245300043100::PENGO
Woerther Str. 36 | DOMAIN: pe...@tmpmbx.UUCP
D-1000 Berlin 20, W.Germany | Bang: ..!{pyramid,unido}!tmpmbx!pengo
Phone: (+49 30) 332 40 15 | BITNET: huebner@db0tui6
Paul Anderson
>>
>>Steve Simmons, Systems Support Mgr, ITI
>
>that caused this and beat the shit out of him?
Yes, my thanks too. But I disagree with trashing the kid. He did nothing
more than walk in the front door of you house and let all the hot air out.
The worm did nothing except scare the shit out of a lot of
people. What if it had done something *BAD*? I know, we don't know
yet... But it could have shut the country down! We should panic, yes!
And get our security up to snuff. "Would the Russians have been so
nice?" I betcha they knew how to do this one for a while. So while you
are all panicing over a *NULL* statement, give some thought to what
would have really happened if there had been some venom to the bite.
I for one, would probably hire the kid. He shows innovation and I don't
see much of that anymore.
paul
--
Paul Anderson gatech!stiatl!pda (404) 841-4000
X isn't just an adventure, X is a way of life...
John DeArmond
>In article <3...@execu.UUCP> de...@execu.UUCP (Dewey Henize) writes:
>>In article <3...@itivax.UUCP> s...@itivax.UUCP (Steve C. Simmons) writes:
>>>
>>>...a big Thanks to all the folks... We're in your debt, folks.
>>>Steve Simmons, Systems Support Mgr, ITI
>>
>>On the next area of consideration, who's gonna get hold of the bastard
>>that caused this and beat the shit out of him?
>> Dewey Heinze
>
>Yes, my thanks too. But I disagree with trashing the kid. He did nothing
>more than walk in the front door of you house and let all the hot air out.
>
>The worm did nothing except scare the shit out of a lot of
>people.
>Paul Anderson
I'd like to echo Paul's sentiment. This kid probably did the network one
of the biggest favors possible - it opened our eyes - maybe.
I'm fairly new to Unix, having worked with it for about 2 years now (That's
rite, boys and girls, i went to school BU [before unix]) so my opinions
are a mix of relative neophyte and experienced administrator. One of the
things that has marveled me is the incredibly poor documentation for unix.
Another is the almost incredible tolerance for known bugs and problems.
After all, it's hacker-macho to be able to come up with the cleverest
workaround to a problem.
Judging from the postings I've seen the last few days, the openings he
exploited have been known for quite some time. One posting I saw was
a repost of a discussion over 2 YEARS OLD! In other words, we've known
these holes were there and, for the most part, ignored them. I can
understand a commercial, object-only site like ours being slow in
fixing such problems within binaries but there is little excuse for the
source licensees to have been bitten. I don't want to sound negative and
I don't want to offend anybody but these things need to be said.
Yeah, sure, you lost some sleep and it was a pain in the ass, and the
network was down for a day and so on.. but look at the up side of the
issue. AT THE LEAST, the following happened:
1. An blantant hole was exposed for all to see.
2. Rapid response procedures were given a good workout.
3. Disaster control procedures were exercized.
4. Much beneficial discussion has taken place and will take place regarding
this issue.
5. Hopefully some new attitudes about reasonable security willbe
formed.
6. Maybe some needed changes to both Unix and the internet will be
implemented.
7. The awareness among the user body concerning security will be
heightened.
Probably the WORST thing that could happen is for the government to
make a knee jerk reaction, heavily restricting the Internet, and then
assume that peace, harmony and security have been re-established. Lets hope
with all our might this does not happen.
As far as the kid goes, I think the appropriate response should be to
punish him a bit, not for the worm itself, but for taking the chance he
did with a bug causing REAL damage. Perhaps a year suspension from school
while working in the community. Then we ought to give the kid a medal!
After all, he's done in a couple of days what years of preaching by high-
powered consultants and officials have not been able to do - spotlight
reasonable security. THEN we all ought to get down on our knees
and thank our stars that the kid was not bent on destruction.
Dewey Henize
>In article <3...@execu.UUCP> de...@execu.UUCP (Dewey Henize[me]) writes:
>>On the next area of consideration, who's gonna get hold of the bastard
>>that caused this and beat the shit out of him? Having a daddy that's a
>>supposedly high security muckety-much should, if anything, imply that the
>>[censored] should know a lot better... And its not like the law is gonna
>>do much, the isn't even a clear picture of what laws are broken by ruining
>>the days of hundreds or thousands of people..
>Maybe you should better thank this guy as well, since he revealed some
>nasty bugs in widespread operating systems. He SURELY showed everyone that
>computer systems are not secure, and that security IS a thing one has to be
>aware of. Just imagine what would have happened if the worm/virus had
>contained some nasty code to destroy files or the like. The sendmail bug
>certainly gave the worm access rights to destroy mail and eventually other
>vital system information.
>[...]
>
>Let's be happy that it is over, and that the Internet is now more secure.
>
> Hans
>
>--
>Hans H. Huebner, netmbx | PSIMail: PSI%026245300043100::PENGO
Hans, you're a much nicer guy than I am. I learned a long time ago that to
be secure, you close your system off from the outside world, otherwise you
cannot be really secure. Sorry, this didn't really do much in anything like
a nice way.
Yes, there are holes - and I'll bet you that while these get patched pretty
darned quickly, there will be more and more as time goes on. So? Does that
mean to you the best way to aid security is to waste thousands of hours of
other people? I doubt you mean that.
Think this through. If this clown had really been even remotely inclined to
do anything resembling help people, there are literally hundreds of other
scenarios that he could have chosen.
I know that if someone really wants to, they can go into the parking area here
and slash a few hundred tires. We don't have 24 hour a day security, because
most responsible people know better, and a large part of what's left are also
aware that doing it and getting caught will do bad things to their personal
wealth, freedom, and possibly health. Yes, a few people in the world do that
kind of thing - we call them criminals or outlaws, not 'hackers'. I still
feel that this kind of person, whether they do it with programs or do it with
other impliments, is maliciously damaging other people's property. And that
it is WRONG for it to be blown off with 'Well, gee, now we know about that'.
If we are lucky, Morris will be sued to the point that his personal fortune
will be totally taken from him and he will be blackballed from anything
even resembling a responsible job for the rest of his life. And also we can
hope that this punishment will be widely publicizes such that the very large
number of people that think this kind of thing is a fun thing to try will
have major second thoughts.
This won't stop it, no, I recognise that. It WILL cut it down a lot, though,
and will give the people who do try to limit this kind of damage a fighting
chance. This thing wasn't a one-night, 'gee, wonder if this would work'
episode - it simply wasn't spur of the moment or impulsive. It was a deliberate
attempt to cause great disruption, MAYBE more than he intended but definately
an attempt to misuse the implied trust of a widely cooperating community. He
basically showed that he's not interested in being a part of that community
as far as his responsibility to it is concerned - the only part he wants is
the support to him.
Followups to alt.flame, please.
Jim Olsen
>"[Robert Morris] quickly recognized that things had gone terribly wrong
>and, they disclosed, he arranged for a friend to send out instructions
>on eradicating the virus to the same computers plagued by the virus."
Has anyone identified this alleged eradication message? I checked our
USENET logs at the time and found no such message. I only saw partial
reports and patches, later refined as the worm was more fully analyzed.
Where did this "friend" supposedly post the message?
Physically Pffft
>
>On the next area of consideration, who's gonna get hold of the bastard
>that caused this and beat the shit out of him? Having a daddy that's a
>supposedly high security muckety-much should, if anything, imply that the
>[censored] should know a lot better... And its not like the law is gonna
>do much, the isn't even a clear picture of what laws are broken by ruining
>the days of hundreds or thousands of people..
>
>What the hell, someone had to say that part. If you disagree, don't let
>that stop you from thanking the GOOD folks.
>
a lot of people a hell of a favor. He was non-malicious in intent, but got
zapped by a bug. What if he had been malicious and had released a better
tested worm (oops, now maybe its a virus again)? Want your day ruined?
Have the virus sit around until, say, the midnight before term papers are
due. Then do a 'rm -rf * /' with root priviledges. He basically did what
any intellegent and/or determined hacker could have done. Knowing people as I
do I'd say it's more a matter of when and how, not if and how.
Someone suggested that this virus be loosed upon the land on a monthly
basis. I think there is a lot of merit to this type of thinking, at least
system administrators would a) be aware that people will try to hack
their systems, and b) educate them as to how their systems are vulnerable.
Don't flame me as an anarcist, the idea in it's present form is unworkable.
But it's something to think about.
Jim
--
Jim Harkins j...@loral.cts.com may work.
Loral Instrumentation, San Diego
{ucbvax, ittvax!dcdwest, akgua, decvax, ihnp4}!ucsd!sdcc6!loral!jlh
Devon E Bowen
>nasty bugs in widespread operating systems. He SURELY showed everyone that
>computer systems are not secure, and that security IS a thing one has to be
>aware of.
People keep saying this. Fact is, I already knew that computer systems are
not secure. I knew that the Internet is not secure. I knew that sendmail is
one of the most insecure mailers around. And I sure hope no one out there
thought differently even before the worm. He didn't teach me a whole lot. He
just wasted my time. And I'm not going to thank someone for wasting my time.
Devon Bowen (KA2NRC) FAX: (716) 636-3464
University at Buffalo BITNET: bo...@sunybcs.BITNET
Internet: bo...@cs.Buffalo.EDU
UUCP: ...!{ames,boulder,decvax,rutgers}!sunybcs!bowen
Obnoxious Math Grad Student
>People keep saying this. Fact is, I already knew that computer systems are
>not secure. I knew that the Internet is not secure. I knew that sendmail is
>one of the most insecure mailers around. And I sure hope no one out there
>thought differently even before the worm. He didn't teach me a whole lot. He
>just wasted my time. And I'm not going to thank someone for wasting my time.
ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ....................................
Nice to know SOMEONE's caught on to the real issue here: learning nothing.
ucbvax!garnet!weemba Matthew P Wiener/Brahms Gang/Berkeley CA 94720
Steve C. Simmons
>nasty bugs in widespread operating systems. He SURELY showed everyone that
>computer systems are not secure, and that security IS a thing one has to be
>aware of. Just imagine what would have happened if the worm/virus had
>contained some nasty code to destroy files or the like. The sendmail bug
>certainly gave the worm access rights to destroy mail and eventually other
>vital system information.
>
Let's not. Suppose you found a security hole that would let you assasinate
the president. Should you:
(a) Tell the secret service, -- or --
(b) Take a toy gun and take advantage of the hole?
If you chose (b), don't be surprised if the secret service gives you a
sudden case of lead poisoning.
The ethical thing to do would have been to inform the local sysadm
of the hole, and get the patch out as has been done in other recent
(non-worm) cases. Instead this guy chose to keep his knowledge a
secret and "play" with it. He's as culpable as if he'd accidently
dropped a vial full of smallpox bacteria in a public place.
Per Ejeklint /EFS
>I'd be careful in generally judging hackers as bad guys. Better think about
>the possibilties bugs can give to your favoured opponent. Every hour spent
>in the last week to get rid of the worm is a good investment in the security
>of future software products.
>
>Let's be happy that it is over, and that the Internet is now more secure.
>
> Hans
>
I agree with You Hans. Curiosity is a curse that often blinds people.
Our little hacking brat was pushed by his own curiosity beyound the limit
of common sense. A grown up person with some experience of life should
make the desicion that the "test" would cause to much trouble to other
people. And if he had found out a weakness that can be used by guys 'up
to no good', he would just post his results to various channels and
in that way open the eyes of the others.
But the most effective way to focus on fatal bugs like this one is
probably to do what he did. Still, I doubt that his purpose was that
"good". I think he was curious, just curious.
Maybe we should arrange "Do-something-evil-contests" where hacking brats
could compete in destroying things (given a stand-alone computer), and then
use the results as a feedback to sysadmins (and security daddies).
I'm sure that our little star of this month (You know who) has some
interesting things to say, so if You read this, send me a mail!
Per Ejeklint
Stockholm, Sweden
Amos Shapir
of the worm. It may be ok for a university-grade software to be distributed
with a debug option compiled in by default, especially when it's distributed
almost free and with its source; but taking the same program, and selling
it to unsuspecting customers without any quality check, is certainly
negligent.
--
Amos Shapir am...@nsc.com
National Semiconductor (Israel) P.O.B. 3007, Herzlia 46104, Israel
Tel. +972 52 522261 TWX: 33691, fax: +972-52-558322
34 48 E / 32 10 N (My other cpu is a NS32532)
Lester I. McCann
In article <2...@eda.com> j...@eda.com (Jim Budler) writes:
>
>For now I feel these two security lists are to be *actively* encouraged
>perhaps now they can actually be funded. It sounds like they are going
>to be set up as a cooperating duo, one open, but carrying details only
>on how to close holes, with an attempt to not convey information to
>aid breaking. The other is the problem. With my corporate charter, I
>need the more detailed, but the qualification *has* to be tighter.
>
>uucp: {decwrl,uunet}!eda!jim Jim Budler
>internet: j...@eda.com EDA Systems, Inc.
I think it would be a mistake to selectively censor security information.
It gives me the feeling that a certain priviledged few will get to
say that the rest of us can't handle the knowledge. In this situation
one can make a case that such caution is warranted, but I fear that this
setup may encourage even more stalling on security modifications. I can
envision some system administrators becoming overconfident because they
believe no one but other sysadmins know where the bugs are. And if no one
else knows, why spend the time and money to fix the problems?
I'm not saying that any of this will actually happen. But, I do think that
if everyone knows about the problems and if they are discussed openly, we'll
all be more knowledgable about the risks, we'll be better able to deal
with possible future troubles, and we'll be better able to prevent a
repeat performance.
Lester McCann
numc...@plains.nodak.edu
numc...@ndsuvax.bitnet
Charles Lambert
>
>that caused this and beat the shit out of him?
Well, I'm not sure I go along with that. No actual harm done besides the
results of our own panic. In the end, a benign worm revealed a nasty hole
in the security.
Now, about that panic: who's gonna put together a cogent, readable press
release to counter all the sensational tripe that the media have been
inventing, in their benighted ignorance? Something that conveys the idea
that we're not a mob of moon-eyed boffins at the mercy of our machines.
Charlie
Jerry Carlin
>... I knew that sendmail is
>one of the most insecure mailers around. And I sure hope no one out there
>thought differently even before the worm. He didn't teach me a whole lot. He
Being mostly a V-oid, I did not know sendmail was holey. Anyone who did
and did not contribute to getting it fixed is at least as guilty
as the perpetrator.
There is a legal concept of an 'attractive nuisance' typically applied to
kids getting drowned because there was not a good fence in front of
the swimming pool. It applies here.
I'm getting really tired of 'we' (the in crowd) knew there was a problem
so we did not feel we had to do anything. The rest of us did not know the
problem existed.
The arguement that 'why should we fix anything because there will be some
holes in the future' is equivalent to 'why should we have medicine because
there will always be disease'. It does not wash.
--
Jerry Carlin (415) 823-2441 {bellcore,sun,ames,pyramid}!pacbell!jmc
To dream the impossible dream. To fight the unbeatable foe.
Lyndon Nerenberg
>
>Now, if you have such a lock on your door, and you wake up in the
>middle of the night to find that a stranger has broken into your home
>and is wandering about, bumping into things in the dark and breaking
>them, how do you react? Do you excuse him because the lock is easy to
>circumvent? Do you thank him because he has shown you how poor your
>locks are? Do you think *you* should be blamed because you never got
>around to replacing the lock with a better one and installing a
>burgler alarm?
Gene, we have to (at least partially) excuse him, because WE gave
him the key! The person who needs "prosecuted" is the person who
hardwired the "wizards" password into sendmail. For accomplaces, round
up every sys admin who didn't change it from the default.
Does you car insurance cover theft of contents when you leave the
doors unlocked?
Ken Manheimer
>>Let's be happy that it is over, and that the Internet is now more secure.
>
>Let's not. Suppose you found a security hole that would let you assasinate
>
>The ethical thing to do would have been to inform the local sysadm
>of the hole, and get the patch out as has been done in other recent
>(non-worm) cases. Instead this guy chose to keep his knowledge a
>secret and "play" with it.
No no no no no no no.
Ethical thing to do?? Is it not relevant to ethical considerations
that you take some sort of effective counteraction? Inform the local
sysadm of the hole?? And what if the local sysadm already knew about
the hole, and said "Yeah, if you invoke help in sendmail's interpreted
mode it talks about this debug option - don't worry so much, everybody
knows about it, and nothing bad has happened."
And then even if something was posted about it, what portion of the
sys-admin concerned computer population do you think such a portion
would reach, and what portion of them do you think would take action?
These are, for the most part, not unknown bugs we're talking about,
hey?
There is enourmous investment in computing business/operating system
development to just try to keep up with, and attempt to tame, the
problems that bite you. The costs of less immediate threats, like
"obscure" security holes, are abstract enough to make plans to fix
them fall through the cracks. If you don't agree, consider (as people
have mentioned repeatedly) that the flaws the worm exploited are
generally acknowledged to not be new or particularly abstruse bugs -
the potential application of the sendmail debug option is relatively
obvious, if you happen to be aware of its existence. They are
(hopefully 'were') entrenched bugs, with concerns about fixing them
outweighed by the endorsement of their presence in "all the other
versions and incarnations" of bsd operating systems. "If the
(other) companies don't care about them, why should i?"
Then along comes someone who gets the bugs on the front page of most
newspapers. This is no mean feat. Resolving these bugs, which
someone should have invested time to do already, becomes the chore of
(very) numerous sys admins around the net, and everyone gets some
public egg on their faces for not having taken care of the problem
previously.
However, the way it happened had all the earmarks of a great adventure
with a happy ending - the shock and challenge of an unknown invader,
mustering of defensive forces ("disease control" in various computing
centers), recovery of atrophied lines of communication, contributions
of individual heroes on the front lines, sweat, diagnosis, and
solution of the problem, tracking (and discovery!) of the mysterious
culprit, and controversy, lots of controversy. People were mobilized
and had the opportunity to meet with success. That's good. I think
the general public got the impression of a victory of the mythical
computer wizards over a ferocious dragon, rather than the defense of
concerned computer hackers over another hacker's heavy (and
proliferous) but entirely toothless worm. And that impression is not
too bad to have around, either.
As far as i'm concerned, the real danger right now concerns finding a
balanced response to the situation - obviously the climate regarding
system security is going to change. If not enough effort is invested,
the copycat hacks that we'll be seeing (very soon now) will outstrip
the improvements, get through, and some significant portion of them
won't be so benign as our promiscuous little worm... On the other
hand, if administration becomes reactionary in their attitude towards
the network and takes a facist, "curtail-access" attitude, then we're
all going to see our work become more difficult, and, for that matter,
less enjoyable.
I have heard hints that the R Morris intended for the worm to make its
journey and go away, leaving only definite evidence that it had been
everywhere, so he could then say "see what's possible?" I would bet
that if he had accomplished this the story would not have made the
front pages of the New York Times or the Washington Post, and fewer
sysAdmin's supervisors would be on their sysAdmin's backs. I suppose
this would be preferable from at least the sysAdmin's perspectives,
and the shock would be sufficient to get some action (and avoid
administrative fascism), anyway. Still, i feel that the mobilization
and eventual kudos effected to meet the challenge of an overt and
active intruder to our cozy world is the best attitude to start to get
out of our collective complacency.
>Steve Simmons ...!umix!itivax!scs
>Industrial Technology Institute, Ann Arbor, MI.
>"You can't get here from here."
Ken Manheimer k...@cme.nbs.gov or ..!uunet!cme-durer!klm
National Institute of Standards and Technology
(Formerly "National Bureau of Standards")
Factory Automation Systems, Software Support
These are not a sentence, these are pixels.
Scot E Wilcoxon
>>From the Sunday New York Times (page 1):
>>"[Robert Morris] quickly recognized that things had gone terribly wrong
>>and, they disclosed, he arranged for a friend to send out instructions
>>on eradicating the virus to the same computers plagued by the virus."
>
>Has anyone identified this alleged eradication message?
Look in comp.protocols.tcp-ip for a message from "foo@bar" (I don't
remember what domain it is in :-). It was vague and had a signed
follow up message.
--
Scot E. Wilcoxon sew...@DataPg.MN.ORG {amdahl|hpda}!bungia!datapg!sewilco
Data Progress UNIX masts & rigging +1 612-825-2607
I'm just reversing entropy while waiting for the Big Crunch.
Robert Sklar
>I'd be careful in generally judging hackers as bad guys. Better think about
>the possibilties bugs can give to your favoured opponent. Every hour spent
>in the last week to get rid of the worm is a good investment in the security
>of future software products.
>
Here Here!! Not only is the net much more secure now, but this should
teach us all a lesson and point out the potential for something much
worse from happening in the future. This makes a message loud and clear
as it cought alot of people with their pant's down. With the speed of
the Internet now our vulnerability really stands out.
Also a Big Thanks to the people at Berkeley who worked for 36 straight hours
on fixing and releasing the patches to help make the Internet safe once again.
AND GET YOUR DEFINITION OF HACKER RIGHT!! (A pet peeve of mine) :-)
--
Robert M. Sklar - News Administrator @ CU-Denver
UUCP: {whatever}!boulder!pikes!netnews
CSN: net...@pikes.Colorado.EDU BITNET: net...@cudenver.BITNET
***** Ignore These Four Words *****
Der Tynan
In answer to all these people who've said we should thank the guy for putting
the worm in the system, which scared the living daylights out of a *lot* of
system administrators this weekend, I have the following comments;
First, a topical joke;
Q: What's worse than finding a 'worm' in your 'Apple'?
A#1: Finding *half* a worm (think about it).
A#2: Knowing that the author will get away with a mere 'slap on the wrist'.
Consider the following fictional analogy;
"TCPVILLE, IP -- An armed gunman opened fire on the customers in a local fast
food franchise, this morning. The gunman, armed with an Ouzi, and several
handguns began shooting at random, aiming above the heads of the terrified
customers. Luckily, no-one was hurt, but local authorities say the damages
may exceed $1M, not including any lawsuits on behalf of the victims. Several
parked cars were destroyed, along with some fast food equipment, and most of
the plate-glass in the restaurant. A spokesman for the fast food chain issued
a public 'thank you' to the gunman, for exposing serious weaknesses in the
chains security policy. Furthermore, the spokesman announced stricter security
regulations, including 'strip searches' for future patrons, and armed guards
at every entrance."
Get the point? What's more, my worst nightmare has come true. Last night,
a TV anchor referred to Morris as a 'Computer Mastermind'. Really? What
would they have called him if his program had actually worked. Most networks
in this country, including the banking networks, are not totally impervious
to such attacks. The 'failsafe' security is that this kind of CRIME is a
federal offence. This is what keeps most 'crackers' away from this kind of
thing. Sure, he exposed some serious weaknesses in the overall security, but
it would have been a *lot* better if he had just mailed his findings to the
appropriate people. What he did will have serious long-term repercussions.
In an ideal environment, we might just take his findings, and make the system
secure, but in reality, a lot of not-so-computer-literate managers are going
to review their INTERNET (and USENET) policies. My wife and I have a bet
going; she says that Morris will get a high-paying job in some network
company. I say his resume ain't worth beans. If he *does* get 'the ultimate
job', want to guess how many *more* attacks there'll be in the coming years?
- Der
--
dty...@Tynan.COM (Dermot Tynan @ Tynan Computers)
{apple,mips,pyramid,uunet}!zorba.Tynan.COM!dtynan
--- God invented alcohol to keep the Irish from taking over the planet ---
r...@moss.att.com
}Followups to alt.flame, please.
Even if we got the alt groups, I couldn't allow you to make such
inflammatory comments in these newsgroups and then skulk off to
alt.flame -- you're the one advocating that Bob Morris "face the
music"; right now it's your turn! ;-)
}Hans, you're a much nicer guy than I am. I learned a long time ago that to
}be secure, you close your system off from the outside world, otherwise you
}cannot be really secure. Sorry, this didn't really do much in anything like
}a nice way.
No, you can't be *really* secure. But you can have a relatively secure
system without HUGE GAPING holes like the one Bob Morris exploited.
}Yes, there are holes - and I'll bet you that while these get patched pretty
}darned quickly, there will be more and more as time goes on. So? Does that
And why are these holes being patched so quickly? Why weren't they patched
before now? Because no one had exploited them *that we know of*, and we
were just damned lucky that the first person who did so wasn't malicious.
}Think this through. If this clown had really been even remotely inclined to
}do anything resembling help people, there are literally hundreds of other
}scenarios that he could have chosen.
Like what? Name one. You cannot in good conscience expose a major security
hole unless you reasonably sure that whoever you tell about it is not only
trustworthy, but can be counted on to disseminate the information quickly
and reliably to *all* systems that have the hole. If you can look in your
Official Internet Directory and give me the number of the Computer Security
Agency for All of the Internet then I'll acquiesce.
}I know that if someone really wants to, they can go into the parking area here
}and slash a few hundred tires. We don't have 24 hour a day security, because
}most responsible people know better, and a large part of what's left are also
}aware that doing it and getting caught will do bad things to their personal
}wealth, freedom, and possibly health. Yes, a few people in the world do that
}kind of thing - we call them criminals or outlaws, not 'hackers'. I still
Another horribly inaccurate analogy. Let's see if we can rectify that.
Let's say everyone has one of those 5-button combination locks on their
car doors -- the kind that Ford and others had on luxury cars where you
could punch in a 5-number combination to unlock the driver's door, then
follow that with another digit to pop the trunk.
Now let's say someone comes into your unguarded parking lot full of LOCKED
cars, opens everyone's trunk, jacks up each car, takes off each car's
rear tires and locks the tires and lug nuts back in the trunk.
You all come out and see this and are appalled and outraged. Other
owners of the same type of cars are frightened -- how did this person
do it? You discover that the maker of the cars, in its infinite
carelessness/stupidity, has assigned the same combination to ALL of
the cars!
Now, each car owner has to unlock the trunk, drag out the tires and lug
nuts, and put the tires back on. And each driver goes to a service
center at a carmaker X dealership and gets a custom combination.
Was time and effort wasted? Yes.
Was any damage done? No!
Are the cars now completely secure from theft? No.
Were many probable future thefts of valuables from locked cars
prevented? Yes!
It's a bit more complicated than tire-slashing.
}If we are lucky, Morris will be sued to the point that his personal fortune
}will be totally taken from him and he will be blackballed from anything
}even resembling a responsible job for the rest of his life. And also we can
}hope that this punishment will be widely publicizes such that the very large
}number of people that think this kind of thing is a fun thing to try will
}have major second thoughts.
I just *love* people who advocate making an example of one particular
individual despite the injustice that implies. I hope you get stopped
for speeding someday and they decide to give you 5 years in prison so
r...@moss.att.com
}Consider an analogy:
}
}Locks built in to the handle of a door are usually quite poor;
}deadbolts are a preferred lock, although they too are not always
}secure. These standard, non deadbolt locks can be opened in a few
}seconds with a screwdriver or a piece of plastic by someone with little
}training.
}
}Now, if you have such a lock on your door, and you wake up in the
}middle of the night to find that a stranger has broken into your home
}and is wandering about, bumping into things in the dark and breaking
}them, how do you react? Do you excuse him because the lock is easy to
}circumvent? Do you thank him because he has shown you how poor your
}locks are? Do you think *you* should be blamed because you never got
}around to replacing the lock with a better one and installing a
}burgler alarm?
Dr. Analogy here -- this one doesn't wash, either, Spaf.
It's better than most, though -- let's see if we can make it accurate.
Add the fact that there are many people who have a key to the door of
your house, that there are many people coming in, leaving, and wandering
all over your house at all hours of the day and night. They aren't in
your bedroom, because you have a super-good lock that only a few select
people have keys to ;-) but they're everywhere else all the time.
They're watching your TV, using your phones, reading your books, using
your appliances, etc.
In addition, you have a separate door that allows *anyone* in -- it
isn't even locked! And there's an honor-system book exchange in the
separate area of the house that it opens onto!
NOW, are you going to be as upset if you find someone you don't know
wandering around in your house in the middle of everyone else? Well,
you're still going to be upset because his activities, while not
damaging, have disrupted the entire household and brought all the
other's activities to a standstill -- so much so that you have to
empty the house while you deal with him. But it isn't nearly the
fear, upset, and anger you would experience in the analogy you gave.
}We have failed to imbue society with the understanding that computers
}contain property, and that they are a form of business location. If
}someone breaks our computers, they put us out of work. If someone
}steals our information, it is really theft -- not some prank gone
}awry. If someone broke into the NY Times and vandalized their printing
}presses, it would not be dismissed as the work of a bored college
}student, and even if it was the son of the editor, I doubt anyone would
}make a statement that "It will ultimately be a good thing -- we'll be
}forced to improve our security."
This, I must admit is a very very valid viewpoint -- hadn't thought of
it that way. Thanks. [Due to my rather flaming articles of recent,
I feel compelled to clarify that this is NOT sarcasm!]
I still take issue, though, Gene. My business location doesn't
have people wandering around bumping into things because we have a
security group and a lobby with guards. We don't shut ourselves off
from the outside world, there are no fences, just security at the
entrances. Bob Morris didn't come in through the window -- he came
in through the door.
}We cannot depend on making our systems completely secure. To do so
}would require that we disconnect them from each other. There will
}always be bugs and flaws, but we try to cover that by creating a sense
}of responsibility and social mores that say that breaking and cracking
}are bad things to do. Now we have to demonstrate to the world that
"Computer Cracking -- Just Say No"
You should get Nancy Reagan to help with your campaign -- look what
she's done against drugs in the U.S. :-(
I'm glad my bank doesn't have your attitude.
Curtis Jackson -- att!moss!rcj 201-386-6409
"The cardinal rule of skydiving and ripcords: When in doubt, whip it out!"
R...for Rabbit
^In article <53...@medusa.cs.purdue.edu>, spaf@cs (Gene Spafford) writes:
^ [Gene's lock analogy deleted]
^Gene, we have to (at least partially) excuse him, because WE gave
^him the key! The person who needs "prosecuted" is the person who
^hardwired the "wizards" password into sendmail. For accomplaces, round
^up every sys admin who didn't change it from the default.
^Does you car insurance cover theft of contents when you leave the
^doors unlocked?
But is the guy who did it still a criminal? Hell yes, he stole your
stuff. Maybe you are at fault, but that doesn't make him any less
criminal in his actions. If someone can effortlessly rip off stuff
from a store, does that mean that they're not really stealing, because
the store owners made it so easy?
But enough of arguing analogies; we could do this all day. The point
is, it doesn't matter how easy or hard it was for him to accomplish
this, the point is that he did it. The question is, what should be
done to him? I think you can't remove the blame from him, because
the programmers made it easy for him to accomplish this. The ease
of doing something doesn't determine if someone is guilty or not
guilty.
--R for Rabbit
Devon E Bowen
>Being mostly a V-oid, I did not know sendmail was holey. Anyone who did
>and did not contribute to getting it fixed is at least as guilty
>as the perpetrator.
>
>so we did not feel we had to do anything. The rest of us did not know the
>problem existed.
Never let it be said that I don't do my part...
I'm writing this as a public notice that the sendmail daemon is still a
security hole. If you feel strongly about this, please shut off your sendmail
daemon. I prefer to run mine so that I can continue to receive mail via the
Internet.
>The arguement that 'why should we fix anything because there will be some
>holes in the future' is equivalent to 'why should we have medicine because
>there will always be disease'. It does not wash.
That's not the argument I make. My argument is that I'd rather spend my
time making advancements in the field of computer science than patching
security holes. I think you'll agree that what I do with my time and efforts
is my business.
I don't think that one of these scares every couple of years is worth the
bother. Sure, if it had been a virus and had wiped out my disks, it would
have been a pain and I would have had to restore from tape dumps. But being
paranoid takes a lot of time, too. And I don't think it's worth it.
If you want every ounce of security you can get, you should be running VMS.
I'll stick with BSD, though.
Rick Adams
> doors unlocked?
Does that make it less of a crime?
peter honeyman
>The ethical thing to do would have been to inform the local sysadm
>of the hole, and get the patch out as has been done in other recent
>(non-worm) cases. Instead this guy chose to keep his knowledge a
>secret and "play" with it. He's as culpable as if he'd accidently
>dropped a vial full of smallpox bacteria in a public place.
analogies aside, what's your opinion of people who now claim to have
known about the bugs for years?
peter
Obnoxious Math Grad Student
Who cares? Why is it SO IMPORTANT to have the MORAL HIGH GROUND? So
that you can feel justified about being smug and complacent re security?
Dan Schlitt
about blaming the victim. However....
Well, I probably can view the problem of the worm with a bit of
detachment since we are not yet connected to the internet and thus did
not get attacked by the it. But there are a group of people who I
have not seen mentioned who should share a good part of the blame for
the extensive propagation of the worm.
When I get the BSD distribution as a university site I know what I am
getting. It is not a polished commercial product and I take the
responsibility for cleaning things up if they bother me. I saw the
trapdoor code several times as I looked at the source. I wasn't
curious enough to check out what it did nor sharp enough to see the
problems it might create. If I had been bitten then I would be
kicking myself for contributing to the problem.
On the other hand, some of the machines that were attacked were
running what purports to be a commercial product. In the tcp-ip group
there has recently been discussion of the documentation and setup on
the distributed operating system that creates many problems, including
security problems, when the machines are connected to the internet. It
seems to me that there is good reason for some serious soul searching
in some corporate headquarters over what has just happened.
And that shouldn't be applied just to that organization. I have a
computer from yet another vendor with the sendmail trapdoor. I will
patch that binary too. But I ask you, why should a vendor distribute
programs compiled with DEBUG defined?
--
Dan Schlitt Manager, Science Division Computer Facility
dan@ccnysci City College of New York
d...@ccnysci.bitnet New York, NY 10031
(212)690-6868
Mark Levine
I stand amazed at the high pedestal we make for computers. Gee, did you
know that locks can be picked? That the front door of your house can be
kicked in? Your car can be stolen? Your bank vault robbed?
There is nothing wrong with security, but in the last analysis it always
becomes an economic problem, and absolute security is prohibitively
expensive. Every time I see a burglary reported in the press I do not
expect to replace the glass windows in my house with bullet-proof plastic
nor will I run out and replace all the wood with steel and concrete. By
the same token I will not begin to divert all my resources from applications
to improving the reliability of network services in my operating system.
This seems rational, and does not excuse a failure to do maintenance when a
serious problem is exposed and a free patch supplied.
For rational people, the law is a part of raising the cost of sociopathic
behavior like killing and loosing tapeworms onto the network. Where
accidental it is still "manslaughter" as opposed to "murder" in that the
act did damage, even if not premeditated nor intentional. Making a hero
of the guy who breaks into your house and shoots your dog, because it suddenly
illuminates the fact that hiring a security patrol might be a good idea, is
not something I want you to do.
If nothing has been learned, it is certainly in the column under "computers
are not different than other spheres of human activity" -- is it not so?
We know our systems are imperfect, but also that they are usable. I submit
that if an admin wants to bet the 8 hours of restoring bug-infested system
from scratch against the years of vetting every piece of software he sees,
that is not necessarily a bad choice. If you have much more valuable data
you cannot see disrupted, get off internet, or consult your actuarial tables
for the bet you can lay.
Eleazor bar Shimon, once and future Carolingian
y...@sabre.bellcore.com
Paul Anderson
No.
But the criminal doesn't *care*.
And the student is sometimes misguided.
Thats why senior engineers make project direction decisions (as opposed to
coop and grad students).
paul
--
Paul Anderson gatech!stiatl!pda (404) 841-4000
X isn't just an adventure, X is a way of life...
Gene Spafford
>In article <44...@beno.seismo.CSS.GOV>, rick@seismo (Rick Adams) writes:
>>Does that make it less of a crime?
>
>Who cares? Why is it SO IMPORTANT to have the MORAL HIGH GROUND? So
>that you can feel justified about being smug and complacent re security?
1) Rick (and I and others) are hardly smug and complacent about
security. We're working on it, and have been working on it, for
quite some time, although that is not our primary job. Just
because we don't tell you and the Usenet about it doesn't mean
we aren't acting on it. In fact, considering your behavioral
aspects, not telling you about anything is an important part
of a good security program.
2) Some of us are concerned about ethical issues in addition to
technical issues. Too many people are not concerned with ethics,
professionalism, liability, et. al. and we see technology as not
providing all the answers to important questions. That you are
unconcerned with ethics does not seem surprising to many of us.
3) Please, please insult Indiana some more -- it makes you appear so
terribly clever and humorous. You're so cute when you're rabid.
--
Gene Spafford
NSF/Purdue/U of Florida Software Engineering Research Center,
Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004
Internet: sp...@cs.purdue.edu uucp: ...!{decwrl,gatech,ucbvax}!purdue!spaf
Theodore Y. Ts'o
>
>heads in the sand over and over again, yelling "ain't my fault our locks
>are all ten years out of date"? What does it take to wake you folks up?
>
Stuff like this makes me wish that news.admin _WAS_ moderated. Sigh.
>>We cannot depend on making our systems completely secure. To do so
>>would require that we disconnect them from each other. There will
>>always be bugs and flaws, but we try to cover that by creating a sense
>>of responsibility and social mores that say that breaking and cracking
>>are bad things to do.
>
>Ooooh. A sense of responsibility and social mores? So you can declaim
>from the moral high ground when ARPANET goes belly up three years from
>now? How about a sense of intelligence and security to go with it?
Repeat after me three times. "The ARPANET cannot be made secure." Got
it? Now repeat it three more times. As long as machines are
connected together usefully, there will always be a chance that
somewhere, somehow, someone will be able to break in. So what are we
going to do about it? We have to deter people from doing anti-social
things --- either by giving them a sense of ethics or stringing up
people who do these things. Why do you sneer at ethics so?
In a previous article, you said that the virus/worm should be released
every month to keep sysadmins on there toes. Well, how about this:
every month, someone will randomly spray your office with machine gun
fire. That'll teach you to wear bullet-proof vests!
Personally, I prefer not to wear bullet-proof vests, becuase I can get
a lot more done without them on. However, I don't think the human
race will come to an end because in general, people don't wear
bullet-proof bests. Similarily, the ARPANET won't die because of
this.
I was up all night thursday fighting this thing; I'm not inclined to
think it was a "harmless prank" or an "effective way to wake us
up" --- just as you wouldn't think that my shooting your feet off would
be a good way to remind you to wear bullet-proof armor all the time.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Theodore Ts'o bloom-beacon!mit-athena!tytso
3 Ames St., Cambridge, MA 02139 ty...@athena.mit.edu
Everybody's playing the game; but nobody's rules are the same!
Obnoxious Math Grad Student
>In article <16...@agate.BERKELEY.EDU> wee...@garnet.berkeley.edu (Obnoxious Math Grad Student) writes:
>>What the HELL does that matter? Are you going to run around with your
>>heads in the sand over and over again, yelling "ain't my fault our locks
>>are all ten years out of date"? What does it take to wake you folks up?
>Stuff like this makes me wish that news.admin _WAS_ moderated. Sigh.
[I'll pretend that this is news.admin for the sake of argument.]
Why? You think it's essential that everyone play kiss ass yup yup yup
regarding security?
>>Ooooh. A sense of responsibility and social mores? So you can declaim
>>from the moral high ground when ARPANET goes belly up three years from
>>now? How about a sense of intelligence and security to go with it?
>Repeat after me three times. "The ARPANET cannot be made secure." Got
>it? Now repeat it three more times.
Of course it can't be made secure. But it could be a hell of a lot more
secure than it is now. A HELL of a LOT more. Complaining about RTM's
lack of ethics is not the way to make it more secure. Got it yourself?
> So what are we
>going to do about it? We have to deter people from doing anti-social
>things --- either by giving them a sense of ethics or stringing up
>people who do these things. Why do you sneer at ethics so?
Because I don't believe that ethics will work. People aren't going to
get much of a way of ethics, and the stringing up of RTM you all keep
foaming for is bloody unlikely.
>In a previous article, you said that the virus/worm should be released
>every month to keep sysadmins on their toes.
No, not to keep sysadmins on their toes. To get them--and their bosses--
and maybe thus their vendors--to start making security a serious priority.
And not an afterthought.
And I've only floated it up as an idea for kicking around, not a mandate
about what SHOULD be done. You'll recall that I used the word "drill",
as in FIRE DRILL. I didn't ask for genuine FIRES.
> Well, how about this:
>every month, someone will randomly spray your office with machine gun
>fire. That'll teach you to wear bullet-proof vests!
These "proofs" by analogy are always so ludicrous. Is random machine
gunning of offices an almost certainty? Maybe over in Lebanon, but not
here in the USA.
In contrast, is more computer cracking a certainty? YES...
What are you going to argue next? That fire drills be cancelled at
schools? That earthquake drills not be held here anywhere in Cali-
fornia? After all, it's just as easy for you to compare these drills
to your machine-gun analogy.
>I was up all night thursday fighting this thing; I'm not inclined to
>think it was a "harmless prank" or an "effective way to wake us up"
I never claimed that it was a "harmless prank". (By the way, if you
think this news.admin ought to be moderated, why do you engage in such
blatant lying? Is this what Gene Spafford calls "professionalism"?)
Nor did I ever claim that the Morris worm was an effective way to wake
people up, other than some early theorizing before the facts were in.
I'd *LIKE* to see it become such in retrospect, but the large number
of people thinking "OK, I fixed the sendmail bug, let's nuke the bas-
tard so that no one will ever do this again" makes me doubt this.
> just as you wouldn't think that my shooting your feet off would
>be a good way to remind you to wear bullet-proof armor all the time.
Ignoring the fact that your analogy is indeed irrelevant, note that I'm
NOT suggesting that anything crippling be done--just something that keeps
security a high company/university/institute priority across ARPANET and
elsewhere. I simply do not expect this attitude to come voluntarily.
Tony Nardo
>...We don't shut ourselves off
>from the outside world, there are no fences, just security at the
>entrances. Bob Morris didn't come in through the window -- he came
>in through the door.
I can't speak for your house, but I know that *my* house does not have some
unsuspected secret door leading in.
If you mean to say that "sendmail" was the door, then the authors of "sendmail"
should have to face a little fire of their own. They made at least one key to
that door and left it sitting around -- WITHOUT openly telling the world that
they had done so!
==============================================================================
ARPA: trn%war...@aplvax.jhuapl.edu OR nardo%str.d...@capsrv.jhuapl.edu
BITNET: t...@warper.jhuapl.edu
UUCP: {backbone!}mimsy!aplcomm!warper!trn
50% of my opinions are claimed by various federal, state and local governments.
The other 50% are mine to dispense with as I see fit.
==============================================================================
William B. Thacker
Well, while we're bashing analogies... yours is even further off the
mark, Curtis.
Consider that those many people with keys to your door are all your
close friends, who you know you can trust; and that they contributed
many of those books in your exchange. When your TV breaks down, one of
them fixes it. You don't just give a key to anyone.
Now, the door to your book exchange isn't locked; its hidden behind a
secret panel. Maybe *you* didn't even know it was there. Certainly, it's
impossible for 90% of the population to find.
Finally, some stranger goes to school for four years, studying
architecture. He gets the blueprints for your house and studies them,
too, until he finally discovers that secret door. Instead of sending you a
letter describing the door and advising you lock it, he decides for
something a bit "showier".
Thus, the next morning, you wake up to find strange, muddy bootprints all
over your house, and all the rooms are filled to the ceiling with styrofoam
peanuts. Sure, it only takes you a day or so to clean the place up, and he
could have done more, but...
In a related matter : What ever happened to Captain Midnight, the
gentleman who commandeered HBO's satellite a few years ago ? I seem to
recall that he was caught, but I don't know what happened after that.
Seems to be rather an analogous case.
------------------------------ valuable coupon -------------------------------
Bill Thacker att!cbnews!wbt
"C" combines the power of assembly language with the
flexibility of assembly language.
Disclaimer: Farg 'em if they can't take a joke !
------------------------------- clip and save --------------------------------
Steve C. Simmons
>analogies aside, what's your opinion of people who now claim to have
>known about the bugs for years?
> peter
Low, but I'm willing to judge on a case by case basis :-). If someone
has known for years and made good faith effort to inform the responsible
parties both on the vendor and user side, one can ask for no more.
--
Scott A. Mason
reply to all the netlanders who feel that this sort of activity is
favorable in ANY way.
>I hate to sound like I encourage this sort of thing but I think the guy did
>a lot of people a hell of a favor. He was non-malicious in intent, but got
^^^^^^^^^^^^^^^^^^^^^^^
It seems as though a lot of people have been saying this. This isn't
holding water with me. This program WAS mailicious and had to be designed
with this in mind. How else would it have been so well coded to do what it
did!?
>zapped by a bug. What if he had been malicious and had released a better
>tested worm (oops, now maybe its a virus again)? Want your day ruined?
>Have the virus sit around until, say, the midnight before term papers are
Perhaps you didn't consider the fact that some computers are used for other
things than education. In the business world, time is money, and CPU time
costs money. In any case, it is a resource which was maliciously wasted by
the Internet worm. Try telling the CEO of Big Corp (ficticious corporation
used here for analogy) that your annual report is late because the computer
was brought to its knees by a non-malicious worm. He would not be impressed.
A worm is a worm is a worm!
>Someone suggested that this virus be loosed upon the land on a monthly
>basis. I think there is a lot of merit to this type of thinking, at least
Yes, I also heard someone say that "chaos is good." :)
>system administrators would a) be aware that people will try to hack
>their systems, and b) educate them as to how their systems are vulnerable.
It is the programmers' responsibility to consider all possible avenues that
his program might take. Good programs don't do bad things. The system
administrator should also be concerned with the security of his system,
regardless. He need not be burdened with extra effort involved with this
chaotic type of thinking.
--------------------------------------------------------------------------------
"If it ain't broke, don't fix it," and certainly don't blame me. Oh, by
the way, my opinions are my own, so don't blame them either.
UUCP: {pitt, scooter, hal, cwjcc}!neoucom!sam INTERNET: s...@neoucom.UUCP
Scott A. Mason
Coordinator of Systems Operations, NEOUCOM
Steve C. Simmons
>In article <3...@itivax.UUCP> s...@itivax.UUCP (Steve C. Simmons) writes:
>>The ethical thing to do would have been to inform the local sysadm
>>of the hole, and get the patch out as has been done in other recent
>>(non-worm) cases. Instead this guy chose to keep his knowledge a
>>secret and "play" with it.
>
>No no no no no no no.
>
>Ethical thing to do?? Is it not relevant to ethical considerations
>that you take some sort of effective counteraction? Inform the local
>sysadm of the hole?? And what if the local sysadm already knew about
>the hole, and said "Yeah, if you invoke help in sendmail's interpreted
>mode it talks about this debug option - don't worry so much, everybody
>knows about it, and nothing bad has happened."
The arguement you make is a general ethical one, and has merit. But
this isn't talk.philosophy (yeah, I know I started the thread :-)).
If we grant Morris the best of motives ("see how easy I did X?"), it
feels very much like someone who, in order to show his local fire
department is worthless, starts a "safe" fire. Unfortunately it gets
out of hand and burns his whole house down.
Yes, when the authorities will not allow time/money/resources to do the
security fixes the guy who knows of the hole is in a tough spot. Two
wrongs, tho, don't make it right.
As for the folks who claim we're all better off because of this, I'm
curious. What fixes have come forward since the worm *but not related
to it*? None that I've seen. Folks are suddenly a lot more security
conscious in general but are applying fixes only on this relatively
narrow point. I'd say that we've had only a narrow improvement so far.
--
Henry Spencer
>security hole. If you feel strongly about this, please shut off your sendmail
>daemon. I prefer to run mine so that I can continue to receive mail via the
>Internet.
The latter does not imply the former. There is at least one implementation
of SMTP that does not require sendmail. It was, I believe, posted to
comp.sources.misc a little while ago. It definitely works; although it may
be a bit crude, it's in production on several sites.
The amount of effort that has gone into maintaining sendmail, over the
net as a whole, could have written half a dozen high-quality implementations
of SMTP by now. It continues to amaze me that people claim there is no
alternative to sendmail.
--
Sendmail is a bug, | Henry Spencer at U of Toronto Zoology
not a feature. | uunet!attcan!utzoo!henry he...@zoo.toronto.edu
Rick Rodgers
>In article <11...@xn.LL.MIT.EDU> ol...@xn.ll.mit.edu (Jim Olsen) writes:
>>>From the Sunday New York Times (page 1):
>>>"[Robert Morris] quickly recognized that things had gone terribly wrong
>>>and, they disclosed, he arranged for a friend to send out instructions
>>>on eradicating the virus to the same computers plagued by the virus."
>>
>>Has anyone identified this alleged eradication message?
>
described this process, and named the friend. I still believe that
delegating such a task is a major misjudgment.
--
R. P. C. Rodgers, Statistical Mechanics of Biomolecules, Dept. of Pharm. Chem.,
University of California, San Francisco CA 94118 (415)476-8910
(ARPA: rod...@cca.ucsf.edu, BITNET: rodgers@ucsfcca,
UUCP: ...ucbvax.berkeley.edu!cca.ucsf.edu!rodgers)
Wayne Smith
>>
>>Who cares? Why is it SO IMPORTANT to have the MORAL HIGH GROUND? So
>>that you can feel justified about being smug and complacent re security?
>
>1) Rick (and I and others) are hardly smug and complacent about
>security. We're working on it, and have been working on it, for
>quite some time, although that is not our primary job.
Ah, you're much too modest. I'd say all that work has paid off
handsomely. You are much more smug and complacent than you give
yourself credit for. 1/4:)
>2) Some of us are concerned about ethical issues in addition to
>technical issues. Too many people are not concerned with ethics,
>professionalism, liability, et. al.
Ethical considerations are not going to help secure my installation
from theft and vandalism. As many (especially those who would like to
see RTM hang) have testified, we can be greatly inconvenienced and
even injured by a breach of security. The problem is, as weemba has
reiterated, that keeping holes out of the view of the "general public"
does not keep them from being used maliciously by vandals, terrorists,
etc. It only keeps them from being fixed. Thanks to RTM, a few of
these holes were moved into plain view and the general public was
forced to stop and look. We screamed at the sight, the thought of
falling in, and the inconvenience of having to stop, and together, we
demanded that the biggest holes be patched. Unfortunately, some of us
think a good way to help keep other holes from being maliciously
exploited is to make an example of the person who forced us to look.
I think that people like you, Spaf, do the Unix community a disservice
by insisting that we are better off not knowing the details of the
holes in our own systems. Do you flatter yourself that you can
mobilize the likes of DEC, AT&T, HP, Sun, and IBM to go to the trouble
and expense of fixing thousands of installed Unix systems when none of
their customers know of any specific problem? What kind of secret
note can you alone send that will grab their attention and send them
scurrying to fix the problem?
I am sure that it is people like you who are qualified to find the
holes and provide the fixes (with the help of individuals like RTM),
but it is WE who motivate and move the market. If WE do not know the
problems, their details, and the dangers they present, they will not
be repaired.
--
Wayne A. Smith
Creare Inc. arpa: was%creare%dartmo...@relay.cs.net
P.O. Box 71 uucp: dartvax!creare!was
Hanover, NH 03755 phone: (603) 643-3800
Brain in Neutral
> Ignoring the fact that your analogy is indeed irrelevant, note that I'm
> NOT suggesting that anything crippling be done--just something that keeps
> security a high company/university/institute priority across ARPANET and
> elsewhere. I simply do not expect this attitude to come voluntarily.
But if your "drill" isn't crippling, then it won't accomplish its
intended end. Because if it's not crippling, it can be (and would
be) ignored.
I suspect that such drills could even be dangerous, in the sense that
they could easily come to be viewed as the boy crying wolf. Then when
the real virus comes in (and of course it will initially mimic a drill),
all the sysadmins will yawn and say, "Oh, another drill. Hm."
Also, it seems to me that belittling the value of ethics is defeatist.
You yourself concur that the net will not be made totally secure, but
can be made *more* secure. It seems reasonable that a greater degree
of ethical behavior (instilled, say, by highly adverse consequences for
unethical behavior) would also make the net *more* secure, even though
not totally secure.
Paul DuBois
dub...@primate.wisc.edu rhesus!dubois
Obnoxious Math Grad Student
>But if your "drill" isn't crippling, then it won't accomplish its
>intended end. Because if it's not crippling, it can be (and would
>be) ignored.
>I suspect that such drills could even be dangerous, in the sense that
>they could easily come to be viewed as the boy crying wolf. Then when
>the real virus comes in (and of course it will initially mimic a drill),
>all the sysadmins will yawn and say, "Oh, another drill. Hm."
I only consider my proposal a first thought. Thanks for a technically
oriented response.
I can only hope that just a few such drills would be needed to convince
people that security should be viewed seriously, not as something to
patch on at the end, or to trust to ethics or a hoped-for anti-Morris
verdict.
>Also, it seems to me that belittling the value of ethics is defeatist.
I don't see why being defeatist or not matters. Personally, I think
of myself as somewhere between cynical and realistic. Anyway, I've
been called worse in the past.
How many sites would be wiped out if a fire hit your computer room?
Are your backups in the same room as your disks and computers? This
is a small potatoes question that could have big potatoes consequences,
yet this kind of thinking is routinely just not done.
You have to approach security in the same way.
As summarized in RISKS, eg, "gets" has long been known to be a bug wait-
ing to happen--and it did with the fingerd attack--yet backward-compati-
bility was viewed as more important than closing this bug for the longest
time. I hope to see this kind of thinking go extinct.
>You yourself concur that the net will not be made totally secure, but
>can be made *more* secure. It seems reasonable that a greater degree
>of ethical behavior (instilled, say, by highly adverse consequences for
>unethical behavior) would also make the net *more* secure, even though
>not totally secure.
Making theft possible only for those with the heaviest of hardware
does more, I hazard, then teaching kids to "just say no" to stealing.
That is, I envision some kind of security wall that discourages those
with slowly maturing ethics, just by making it not worth the effort
for most crackers.
Brain in Neutral
> of myself as somewhere between cynical and realistic. Anyway, I've
> been called worse in the past.
I'm not trying to call you anything. (yet! :-) )
Being defeatist would matter if it caused us not to take a course
of action which, if taken, would have made our installations more
secure *or* less subject to attack. These are not quite the same.
You have focused more on virus-proofing installations, others have
focused on encouraging or requiring ethical behavior. As I read your
articles I get the sense you consider the latter relatively valueless,
*so much so* that such approaches will produce no result at all. If by
"no result" we mean no increase in security, then certainly you are
right, in the sense that an installation's security is not a function
of whether I might or might not attack it, depending on my ethical
beliefs. An insecure site is insecure regardless of whether it's been
attacked. But if by "no result" we mean no difference in the number of
*actual* attacks, then I think we can reasonably say that approaches
oriented toward ethics will *not* be without result.
> How many sites would be wiped out if a fire hit your computer room?
> Are your backups in the same room as your disks and computers? This
> is a small potatoes question that could have big potatoes consequences,
> yet this kind of thinking is routinely just not done.
>
> You have to approach security in the same way.
That's correct, but there should still be consequences for someone who
deliberately sets a fire, shouldn't there?
>>You yourself concur that the net will not be made totally secure, but
>>can be made *more* secure. It seems reasonable that a greater degree
>>of ethical behavior (instilled, say, by highly adverse consequences for
>>unethical behavior) would also make the net *more* secure, even though
>>not totally secure.
>
> Making theft possible only for those with the heaviest of hardware
> does more, I hazard, then teaching kids to "just say no" to stealing.
Well now, I'd say that this is mischaracterization of my argument
(something I know you don't like when you think others do it to you),
for the reason that enacting highly adverse consequences is not the
same as saying "just say no". "just say no" would probably be a failure
in this arena just as I'll bet it will be in the public schools. From
what I hear from the kids I teach in my sunday school class, they're
taught to "just say no" (to, e.g., drugs, peer pressure), but not
especially WHY. These kids aren't stupid: you can imagine how much
respect they have for such teaching. It would be the same on the
Internet. A mandate requiring particular behavior which imparts no
comprehension of the reasons why or why not to engage in that behavior
will probably do little. But that is not to say let's throw up our
hands. People are not always fools, and often respond in reasonable
ways to societal consensus.
Paul DuBois
dub...@primate.wisc.edu
Charles Brunow
>
> NOT suggesting that anything crippling be done--just something that keeps
> security a high company/university/institute priority across ARPANET and
> elsewhere. I simply do not expect this attitude to come voluntarily.
>
> ucbvax!garnet!weemba Matthew P Wiener/Brahms Gang/Berkeley CA 94720
Just do it. All this blathering back and forth isn't going to
do any good. Use the time to write a monthly virus and announce
"THIS IS A TEST" and send it. We should vote on whether or not
to moderate it, of course, and then do it anyway. If you're
looking for analogies, how about Pasteur and his dead germs.
I can't see how a good defense for viruses can be developed
by people who have no first hand experience with them. We
really need to play around with these types of things if we
are to claim knowledge of effective defenses. And I'd love
to see just how secure we really are, wouldn't you? I especially
like to see smug fat cats get theirs, you know the "head-in-
the-sand" defense which leaves their tail waving around in the
air.
We should also have a newsgroup for virus/worm/cracker postings.
We know that they have better communications and more time
to devote to the subject than the typical sys-admin. We could
let them tell us what's what instead of worrying about whether
or not they're reading the security lists. Maybe this should
start out as a mailing list, and then use a worm to install the
group net wide? Worlds of possibilities!
--
CLBrunow - KA5SOF
c...@loci.uucp, lo...@csccat.uucp, lo...@killer.dallas.tx.us
Loci Products, POB 833846-131, Richardson, Texas 75083
Rob Robertson
>I don't think I have seen anybody mention Sun's contribution to the spread
>of the worm. It may be ok for a university-grade software to be distributed
>with a debug option compiled in by default, especially when it's distributed
>almost free and with its source; but taking the same program, and selling
>it to unsuspecting customers without any quality check, is certainly
>negligent.
That combined with the notion that you think your buying a fairly
secure product in SunOS 4.0 with "Secure RPC" and that someone from
Sun announced on the network that he had known about the sendmail hole
for several years, makes for a great case of negligence.
Hey, if all those wasted man/staff hours have got you down here is an
all-American way to recoup it.
rob
"In Japan the ratio of lawyers to engineers
is 1 : 10. In the US it's 10 : 1."
John Woods
> As for the folks who claim we're all better off because of this, I'm
> curious. What fixes have come forward since the worm *but not related
> to it*? None that I've seen. Folks are suddenly a lot more security
> conscious in general but are applying fixes only on this relatively
> narrow point. I'd say that we've had only a narrow improvement so far.
>
openly publish any bug fixes because Something Bad Might Happen. That's
because they just don't learn. Something bad will happen, again and again and
again, and they'll just say "I knew of that bug years ago, so I haven't
learned anything new."
Everyone who wants to strangle the wormer raise your right hand.
Everyone who knew about these bugs but didn't openly publish fixes for them
raise your left hand.
Everyone holding both hands up: please place them around your own neck and
throttle yourself.
--
John Woods, Charles River Data Systems, Framingham MA, (617) 626-1101
...!decvax!frog!john, jo...@frog.UUCP, ...!mit-eddie!jfw, j...@eddie.mit.edu
The preceeding is the official opinion
of the management of radio station WB7EEL.
T. William Wells
: >In article <44...@beno.seismo.CSS.GOV>, rick@seismo (Rick Adams) writes:
: >>Does that make it less of a crime?
: >
: >Who cares? Why is it SO IMPORTANT to have the MORAL HIGH GROUND? So
: >that you can feel justified about being smug and complacent re security?
: 2) Some of us are concerned about ethical issues in addition to
: technical issues. Too many people are not concerned with ethics,
: professionalism, liability, et. al. and we see technology as not
: providing all the answers to important questions. That you are
: unconcerned with ethics does not seem surprising to many of us.
Consider this part of a posting from Mr. Wiener:
<10...@agate.BERKELEY.EDU>, 21 May 88 07:50:12 GMT
: What I'm saying is that I consider my perception of right and wrong
: to really *be* a sense, like vision and hearing. It varies far more
: strongly than the standard five senses, between people and over time,
: yes, but it is still a basic sense. I would no more accept a theory
: of ethics that contradicts my observations of right/wrong than I would
: accept a physical theory that tells me I am seeing red when in fact
: I am seeing blue.
Here is my response to it:
<2...@proxftl.UUCP>, 3 Jun 88 04:35:36 GMT
: Let me translate the previous paragraph: What I feel to be right
: is right and what I feel to be wrong is wrong. Why? Because I
: feel it. Suppose that you have a theory that tells me how to
: distinguish right from wrong? If I do not feel it to be right, I
: will reject it, no matter what its merits.
:
: What you have asserted (minus the "perception" window dressing)
: is subjectivism (Websters Ninth collegiate: subjectivism 2b: a
: doctrine that individual feeling or apprehension is the ultimate
: criterion of the good and the right), pure and simple.
Mr. Wiener is unqualified to think about anything requiring moral
judgement. Which is to say, everything of importance.
: 3) Please, please insult Indiana some more -- it makes you appear so
: terribly clever and humorous. You're so cute when you're rabid.
He is in my kill file because of a number of things; when I see the
drivel he continues to spout (in the responses to said drivel) I am
pleased that he is there.
Mr. Spafford, you have been most reasonable in this debate; don't you
think that it is a good idea to stop encouraging this ethical midget
to post?
---
Bill
{uunet|novavax}!proxftl!twwells!bill
Obnoxious Math Grad Student
>of action which, if taken, would have made our installations more
>secure *or* less subject to attack. These are not quite the same.
My view is that the improve-ethics approach the defeatist approach,
using the above definition.
>You have focused more on virus-proofing installations, others have
>focused on encouraging or requiring ethical behavior.
Not just virus-proofing, but security consciousness raising in general.
If all that came out of the Morris worm was anti-Morris-worm software,
we haven't learned anything.
> An insecure site is insecure regardless of whether it's been
>attacked. But if by "no result" we mean no difference in the number of
>*actual* attacks, then I think we can reasonably say that approaches
>oriented toward ethics will *not* be without result.
The number will not matter if just one of them is a complete major
disaster.
>> How many sites would be wiped out if a fire hit your computer room?
>> Are your backups in the same room as your disks and computers?
>That's correct, but there should still be consequences for someone who
>deliberately sets a fire, shouldn't there?
Of course. But how many sites make it easy?
>> Making theft possible only for those with the heaviest of hardware
>> does more, I hazard, then teaching kids to "just say no" to stealing.
>Well now, I'd say that this is mischaracterization of my argument
>(something I know you don't like when you think others do it to you),
Guilty as charged. What I should have said is in some of my other
recent articles.
Obnoxious Math Grad Student
[miscellaneous gibbering omitted]
T. William Wells is what is known as a "Randroid" in the philosophy
newsgroups. This means, in summary, that anything he says regarding
what makes for morals or not is completely idiotic.
Obnoxious Math Grad Student
>> does more, I hazard, then teaching kids to "just say no" to stealing.
>Well now, I'd say that this is mischaracterization of my argument
>(something I know you don't like when you think others do it to you),
>for the reason that enacting highly adverse consequences is not the
>same as saying "just say no".
I pleaded guilty here in a previous article, but on retrospect, I'm not
so sure your re-explained version is going to be so different than my
unfair version.
> "just say no" would probably be a failure
>in this arena just as I'll bet it will be in the public schools. From
>what I hear from the kids I teach in my sunday school class, they're
>taught to "just say no" (to, e.g., drugs, peer pressure), but not
>especially WHY. These kids aren't stupid: you can imagine how much
>respect they have for such teaching.
Right. So far I'm with you.
> It would be the same on the
>Internet. A mandate requiring particular behavior which imparts no
>comprehension of the reasons why or why not to engage in that behavior
>will probably do little.
I'd say my objections to "ethics" as an anti-viral measure boils down
to this: I don't have much confidence in the teaching of ethics period.
To cite an extreme example (not an analogy!): if you have to EXPLAIN to
someone that murder is wrong, as opposed to knowing that said person
understands instinctively that murder is wrong, then I would be afraid
to be near this person.
Moreover, I fear were such arguments, once digested, ever to become an
institutionalized replacement for a true moral sense in the people who
would be crackers anyway. The same mentality that can dig apart the
source for sendmail and ftp and find holes can just as easily dig apart
the reasons why activity XYZ is bad, and end up justifying activity XYZ
by "superior" counter-reasons.
Then again, maybe I've just read too many Asimov robot stories (ie, all
of them).
> But that is not to say let's throw up our
>hands. People are not always fools, and often respond in reasonable
>ways to societal consensus.
Good luck.
Hans Buurman
>> >In article <16...@agate.BERKELEY.EDU> wee...@garnet.berkeley.edu (Obnoxious Math Grad Student) writes:
>>
>> ... , note that I'm
>> NOT suggesting that anything crippling be done--just something that keeps
>> security a high company/university/institute priority across ARPANET and
>> elsewhere. I simply do not expect this attitude to come voluntarily.
>>
>> ucbvax!garnet!weemba Matthew P Wiener/Brahms Gang/Berkeley CA 94720
>
> Just do it. All this blathering back and forth isn't going to
> do any good. Use the time to write a monthly virus and announce
> "THIS IS A TEST" and send it. We should vote on whether or not
> to moderate it, of course, and then do it anyway. If you're
> looking for analogies, how about Pasteur and his dead germs.
Please, send us one ! I've been asking around on my own university network
what people were doing with the recent virus information. There were three
reactions:
a) This wouldn't have happened if they had been running vendor supplied
software instead of some public domain sendmail program.
b) Don't put our network in a bad light.
c) Attention, system administrators ! I have just found out that setuid
shell scripts are a security breach !
(Yes, all these people were serious !)
Mind you, we are not on the Internet yet. I can only hope that they learn
before things get serious. Your virus-of-the-month might just cause that.
Hans
-----------------------------------------------------------------------------
Hans Buurman | ha...@duttnph.UUCP
Pattern Recognition Group | mcvax!dutrun!duttnph!hans
Faculty of Applied Physics | tel. 31 - (0) 15 - 78 46 94
Delft University of Technology | "What this country needs is a good
the Netherlands | five cents virus/worm !"
-----------------------------------------------------------------------------
Disclaimer: any opinions expressed above are my own. They may have been
changed by a virus, however.
Claude Goutier
Happyness doesn't rhyme with Sloppiness.
There could be much fun and challenge in tightening up
a system while keeping it friendly for the end user.
Releasing an official version of a program like SENDMAIL
with debugging options turned on (especially when those
are compromising the security of the system) seems to me
a lack of concern and responsability. Like the modeline
in VI, this make me think of mild trojan horses casually
left over just in case it might prove helpfull in some
futur.
About the worm creator, I think he lacks of maturity and
responsabilty. I dont think that his purpose was to make
people think more seriously about security. He should have
known that showing a flaw is not enough to remove that
flaw (Have you heard of new releases of UNIX systems with
the sendmail option turned off yet for thoses sites which
received/payed for binary only?). When he realised that his
worm/baby went astray, did he help to repair his mischief?
As for programming, he was clever but missed his point since
the worm didn't went unnoticed, rather the contrary. Thus
a faulty program and an experiment that turned sour. This
do not qualify as brilliant. On a second thought, would you
hire such a programmer? Now think of the other smart good
guy which do not put his name in the front page of the
newspapers but which nevertheless do a real contribution
to the field of computer science (think about Larry Wall,
Henry Spencer, Richard Stallman, etc. just a few names thrown
"pele-mele").
In conclusion, we should put more energy on closing up gaps
in our systems, than debating the mishap or virtue of the
people who illustrate the failures of our systems by absurdum.
To do otherwise is just a waste of resources and energy.
--
Claude Goutier Centre de calcul, Universite de Montreal
C.P. 6128, Succ "A", Montreal (Quebec)
gou...@iro.umontreal.ca Canada H3C 3J7 (514) 343-7234
Jim Meritt
}>In article <44...@beno.seismo.CSS.GOV>, rick@seismo (Rick Adams) writes:
}>>Does that make it less of a crime?
}>
}>Who cares? Why is it SO IMPORTANT to have the MORAL HIGH GROUND? So
}>that you can feel justified about being smug and complacent re security?
}
}1) Rick (and I and others) are hardly smug and complacent about
}security. We're working on it, and have been working on it, for
}quite some time, although that is not our primary job. Just
}because we don't tell you and the Usenet about it doesn't mean
}we aren't acting on it. In fact, considering your behavioral
}aspects, not telling you about anything is an important part
}of a good security program.
From what I have seen, not telling people anything has been a major
component of the system(s) security program.
Might I submit that that is not a very reliable component - ignorance
can be cured, and I really would not want to be in the position on
depending on it NOT being done so.
Sure, Matt can irritate. But is he incorrect on the reality of the
situation? The world is not a nice place. Wishing it so does no
good. Fixing it does good.
LET'S GET THAT SECURITY NEWSGROUP UP FOR *U*S*E*R*S*!!!!!
Who do you thing is using the systems?
Disclaimer: "It's mine! All mine!!!"
- D. Duck
Jon Zeeff
to randomly test systems for security problems and sent mail to root
if they found anything. Along with some guidelines for ethical
security testing, I think it's just what we need. A benign, carefully
written worm could also be a good thing.
--
Jon Zeeff A month ago, I broke your system and
umix!b-tech!zeeff modified your kernel. Can you prove
ze...@b-tech.ann-arbor.mi.us me wrong?
C. Harald Koch
>>From the Sunday New York Times (page 1):
>>"[Robert Morris] quickly recognized that things had gone terribly wrong
>>and, they disclosed, he arranged for a friend to send out instructions
>>on eradicating the virus to the same computers plagued by the virus."
>
>USENET logs at the time and found no such message. I only saw partial
>reports and patches, later refined as the worm was more fully analyzed.
>
>Where did this "friend" supposedly post the message?
First Message:
% From: f...@bar.arpa
% Newsgroups: comp.protocols.tcp-ip
% Subject: (none)
% Message-ID: <881103083...@iris.brown.edu>
% Date: 3 Nov 88 08:34:13 GMT
% Sender: dae...@ucbvax.BERKELEY.EDU
% Organization: The Internet
% Lines: 19
% Posted: Thu Nov 3 03:34:13 1988
%
% A Possible virus report:
%
% There may be a virus loose on the internet.
%
% Here is the gist of a message Igot:
%
% I'm sorry.
%
% Here are some steps to prevent further transmission:
%
% 1) don't run fingerd, or fix it to not overrun its stack when reading
% arguments.
%
% 2) recompile sendmail w/o DEBUG defined
%
% 3) don't run rexecd
%
% Hope this helps, but more, I hope it is a hoax.
% qui
%
Second Message:
% From: sud...@HARVARD.HARVARD.EDU
% Newsgroups: comp.protocols.tcp-ip
% Subject: tracking anonymous messages
% Message-ID: <881105225...@ucbvax.Berkeley.EDU>
% Date: 5 Nov 88 21:32:25 GMT
% Sender: dae...@ucbvax.BERKELEY.EDU
% Organization: The Internet
% Lines: 7
% Posted: Sat Nov 5 16:32:25 1988
%
%
% If anyone cares who sent the anonymous message from f...@bar.arpa through
% isis.brown.edu, I did it. The machine influenza.harvard.edu is an
% annex terminal server. At the time I didn't want to answer questions
% about how I knew.
%
% Andy Sudduth
%
--
C. Harald Koch NTT Systems, Inc., Toronto, Ontario
c...@zorac.dciem.dnd.ca, c...@gpu.utcs.toronto.edu, c...@chk.mef.unicus.com
Note: some sites may still have zorac.dciem.dnd.ca as zorac.ARPA.
"I give you my phone number. If you worry, call me. I'll make you happy."
Mike Klaus
> the president. Should you:
> (a) Tell the secret service,
Dumb idea. You would have to answer too many questions. like,
"Why were you thinking about this?"
"How did you find out?"
"You aren't supposed to know that. Who told you?"
"When were you planning to do this?"
"We don't believe you."
"We can't have you knowing this...."
"You have broken several laws already. Come with us....."
mak
"We're above the law. We can do anything to you that we want. Take the
pills, or we'll give you a shot...." - the thought police
pri=-10 Stuart Lynne
>In article <53...@medusa.cs.purdue.edu>, spaf@cs (Gene Spafford) writes:
>>
>Gene, we have to (at least partially) excuse him, because WE gave
>him the key! The person who needs "prosecuted" is the person who
>hardwired the "wizards" password into sendmail. For accomplaces, round
>up every sys admin who didn't change it from the default.
>Does you car insurance cover theft of contents when you leave the
>doors unlocked?
Actually in this case it's more like whether my insurance company would
cover the theft if I knew that the door was locked but it was exceedingly
easy to break past the "lock". It's more likely that the insurance company
might try and recover costs from the manufacturer of my automobile for
providing a car with locks that they knew where easy to get past.
If you could prove that the manufacturer who distributed a product knew of a
potentially expensive security hole (or should have based on reasonable man
approach) and didn't close it they could quite probably be found liable for
damages. Of course they would try and collect from the originator of the
damage if they lost. The point being that they have deeper pockets and are
much easier to track down.
Check with your local consumer protection types for information on product
liability cases.
--
Stuart...@wimsey.bc.ca {ubc-cs,uunet}!van-bc!sl Vancouver,BC,604-937-7532
--
Stuart...@wimsey.bc.ca {ubc-cs,uunet}!van-bc!sl Vancouver,BC,604-937-7532
Brandon S. Allbery
+---------------
| [about Weemba]
| Mr. Spafford, you have been most reasonable in this debate; don't you
| think that it is a good idea to stop encouraging this ethical midget
| to post?
Much as it may annoy you, Weemba has a good point to make about this whole
thing. (I do admit that his language is, as usual, almost(?) enough to
obscure the point he's trying to make.) In this particular case, the simple
point is that ethics isn't enough. Go ahead and sue Morris, or Cornell, or
whoever; but DON'T ASSUME THAT DOING SO WILL SOLVE ALL YOUR PROBLEMS.
Ethics is important, if only to encourage sysadmins to do something about
any security holes that come to their attention -- but it's by no means the
ultimate solution. Kids who are looking for "kicks" don't give a d*mn about
the law; as far as they'd be concerned, all that suing Morris would prove is
that they should make d*mn sure they aren't caught.
Promoting ethics is only useful when in conjunction with *real* security.
++Brandon
--
Brandon S. Allbery, comp.sources.misc moderator and one admin of ncoast PA UN*X
uunet!hal.cwru.edu!ncoast!allbery <PREFERRED!> ncoast!all...@hal.cwru.edu
allb...@skybridge.sdi.cwru.edu <ALSO> all...@uunet.uu.net
comp.sources.misc is moving off ncoast -- please do NOT send submissions direct
Send comp.sources.misc submissions to comp-sources-misc@<backbone>.
John M Chambers
> In respect to the worm incident, remember that
> Happyness doesn't rhyme with Sloppiness.
>
> There could be much fun and challenge in tightening up
> a system while keeping it friendly for the end user.
>
> Releasing an official version of a program like SENDMAIL
> with debugging options turned on (especially when those
> are compromising the security of the system) seems to me
> a lack of concern and responsability. Like the modeline
> in VI, this make me think of mild trojan horses casually
> left over just in case it might prove helpfull in some
>
Not necessarily; I've seen just the opposite argument. The best metaphor
I've seen so far goes as follows: Disabling debug code for customer releases
is like a would-be pilot wearing a parachute to ground school, and taking
it off when in the air.
In other words, when you release code to customers, they invariably run it
in environments very different from your development lab, and they (mis)use
it in lots of ways that the developers didn't think of. You invariably get
problem reports, and that's when you really need the debug code. With it,
you can tell the customer "Re-run the 'foo' command with a '-d4' option and
tell me what it says." Think of how much easier this is than analyzing the
code to try to figure out by logic alone how it may generate the behavior
reported by the customer (and which you can't get on your system no matter
how much you try to set things up "just like" the customer's system).
The problem really wasn't that sendmail included a remote-debug facility;
I'd compliment its designers/installers for that. The problem was that
this debug facility included a remote-execute "feature". Considering
that sendmail is, in effect, a command interpreter (i.e., "shell") that
runs as root, doesn't always require a password, and is accessible from
the entire internet, such a shell escape seems a bit unwise. But a debug
facility doesn't necessarily require such a powerful feature.
I might also note that uucp's daemon potentially has similar problems, but
it has a simple way of limiting the damage. There is a control file (L.cmds
or Commands, depending on version) that contains a list of the allowed remote
commands. Anything not in the list is just simply not executed. Perhaps
sendmail's debug feature could profit from some such simple mechanism.
--
From: John Chambers <heart-of-gold.mitre.org!jc>
From ...!linus!!heart-of-gold!jc (John Chambers)
Phone 617/217-7780
[The above opinions were packaged by volume, not by weight;
some settling of contents may have occurred during distribution.]
Brandon S. Allbery
+---------------
| Mind you, we are not on the Internet yet. I can only hope that they learn
| before things get serious. Your virus-of-the-month might just cause that.
<Hollow, bitter laugh>
About a month and a half ago, one of the sysadmins at skybridge.sdi.cwru.edu
asked me for a copy of a certain program in use on ncoast which grants use
of root privileges without a password. I refused, explained why, and copied
the message to ncoast's Keeper of the Root Password as part of my on-going
effort to get him to stop placing convenience over security. (Said Keeper
claims that the program is more secure than giving out the root password to
those few people who occasionally need root access. Oh, really?)
Then the Internet virus broke. I hope the sysadmins of skybridge got the
message reinforced by it. Ncoast's root certainly didn't; he *still*
ignores me when I ask for the root access program to be dishonorably retired.
I'm still waiting for some cracker to break in that way....
(Note: I never did subscribe to the "easy password" rule, and still don't;
I would bet that my passwords will not be guessed by anyone, although
someone may be able to decrypt it with "fdes" or etc. I make no such claim
for our beloved root. Sigh. Three possible root passwords on a system is
at least two too many, even if they're well-chosen.)
Dieter Woerz
> ...
>The problem really wasn't that sendmail included a remote-debug facility;
>I'd compliment its designers/installers for that. The problem was that
>this debug facility included a remote-execute "feature". Considering
>that sendmail is, in effect, a command interpreter (i.e., "shell") that
>runs as root, doesn't always require a password, and is accessible from
>the entire internet, such a shell escape seems a bit unwise. But a debug
>facility doesn't necessarily require such a powerful feature.
What I'd like to know is, what was this "feature" supposed to be used
for, as you can't use this feature without the debug option enables.
So you can't use the "shell escape" within normal operation, why was
it included in the debug operation?
------------------------------------------------------------------------------
Dieter Woerz
Fraunhofer Institut fuer Arbeitswirtschaft und Organisation
Abt. 453
Holzgartenstrasse 17
D-7000 Stuttgart 1
W-Germany
BITNET: iaoobel.uucp!wo...@unido.bitnet
UUCP: ...{uunet!unido, pyramid}!iaoobel!woerz
T. William Wells
: As quoted from <1...@twwells.uucp> by bi...@twwells.uucp (T. William Wells):
: +---------------
: | [about Weemba]
: | Mr. Spafford, you have been most reasonable in this debate; don't you
: | think that it is a good idea to stop encouraging this ethical midget
: | to post?
: +---------------
: Much as it may annoy you, Weemba has a good point to make about this whole
: thing. (I do admit that his language is, as usual, almost(?) enough to
: obscure the point he's trying to make.)
Let me see. After perusing what postings remain of his (slogging
through sewage would have been more pleasant), I see four points he
is trying to make:
1) The Worm did us a favor by pointing out a security hole and by
increasing awareness of security issues.
2) It is no good blaming or prosecuting The Worm because that
doesn't accomplish anything.
3) Existing systems are not secure enough and this must change.
4) Things like The Worm should be done more often, to force
people to make their systems more secure.
Did I miss anything important?
1) It is true that The Worm did point out a security hole. It is
even arguable that he increased awareness of security issues,
though I believe that this is only a passing fad.
But. The cost of his method of pointing out the security hole
is, I imagine most sysadmins would agree, much greater than it
had to be. The counter-argument that no one would listen to
the other methods of presenting the hole is so much hogwash;
I'll not spend time (in this posting) re-explaining what's
wrong with this opinion.
2) It certainly won't replace the kilohours of other's time spent
by The Worm. Nor, by itself, will it prevent the future abuse
of systems by crashers. However, it will certainly raise the
perceived cost of crashing, with the effect of reducing the
number and maliciousness of crashers.
3) The systems are exactly as secure as the various people who
are responsible for them believe, all things considered, they
should be. Security has its costs; system administrators have
the current level of security as a consequence of balancing
the perceived cost of security over the perceived benefits of
security. This is a value judgement; Weemba the Mouth is
certainly not competent to make it for them.
As to whether system administrators would make their systems
more secure if they could, I imagine that most would; but that
decision, and its implementation, belongs to them and not to
Weemba.
4) If someone makes it a practice to exploit network security
holes on a regular basis, you can expect that most systems
will either be removed from the net, or will be given an
interface to the net that, while it will screen out most
security infringements, will also make the net much less useful
to the users. Economics virtually guarantees that result, at
least till technology makes it possible, if ever, to have a
secure network.
Let me put it this way: if some virus, worm, or what have you
were to come in over the net on a regular basis, we at
Proximity would simply disconnect from the net. Period. We
can't afford to have our machines put down by such problems;
the value of net access doesn't even come close to the cost of
recovering from them.
Are we unique? I don't think so. The attempt to *force*
security on the net will simply result in the fragmentation of
the net.
Screwing over relatively unsecure systems seems to be the core of the
Mouth's position: that since system administrators, vendors, and
others do not, in his overweening opinion. care enough about
security, they should be *forced* to care about it. Since there is
no legal compulsion available, one ought to pound on existing
security holes till the systems are as secure as the Mouth would like
them to be.
Like I said. Weemba the Mouth is not competent to make ethical
judgements, yet that is exactly what he is doing. Well, he's
entitled to his own incompetence, but we ought not to pay any
attention to his rantings.
Brandon S. Allbery
+---------------
| In article <13...@ncoast.UUCP> all...@ncoast.UUCP (Brandon S. Allbery) writes:
| : As quoted from <1...@twwells.uucp> by bi...@twwells.uucp (T. William Wells):
| : +---------------
| : | [about Weemba]
| : | Mr. Spafford, you have been most reasonable in this debate; don't you
| : | think that it is a good idea to stop encouraging this ethical midget
| : | to post?
| : +---------------
| : Much as it may annoy you, Weemba has a good point to make about this whole
| : thing. (I do admit that his language is, as usual, almost(?) enough to
| : obscure the point he's trying to make.)
|
| Let me see. After perusing what postings remain of his (slogging
| through sewage would have been more pleasant), I see four points he
| is trying to make:
|
|
| Did I miss anything important?
Yup:
(5) Finger-pointing, setting blame, and punishing the perpetrator isn't
going to stop the NEXT person who gets it into his/her/its head to do
something like the Worm.
This is perhaps the most important point that has yet been made about the
whole Worm debacle. It'd be nice if people paid attention to it. The
others are either variations on this, or *suggestions* as to how to actually
get people doing something instead of pointing fingers.
T. William Wells
: | Let me see. After perusing what postings remain of his (slogging
: | through sewage would have been more pleasant), I see four points he
: | is trying to make:
: |
: > (deleted)
: |
: | Did I miss anything important?
: +---------------
:
: Yup:
:
: (5) Finger-pointing, setting blame, and punishing the perpetrator isn't
: going to stop the NEXT person who gets it into his/her/its head to do
: something like the Worm.
But that is just a rephrase of point #2:
> 2) It is no good blaming or prosecuting The Worm because that
> doesn't accomplish anything.
---
That disgusting Weemba sent me e-mail, of his typically abusive kind,
in which he denies that he said #2.
If you are correct in your assertion that he said (5), which is just
a paraphrase of (2), then you have given me further evidence of his
intellectual dishonesty.
Since I don't have his messages any more, I can't verify that this is
true; do you have one of the messages where he said it, or failing
that, do you recall who it is that was archiving the worm discussion?
Brandon S. Allbery
| In article <13...@ncoast.UUCP> all...@ncoast.UUCP (Brandon S. Allbery) writes:
| : (5) Finger-pointing, setting blame, and punishing the perpetrator isn't
| : going to stop the NEXT person who gets it into his/her/its head to do
| : something like the Worm.
|
| But that is just a rephrase of point #2:
(Did this message get lost in a net.timewarp or something???!)
I dropped a line:
Thinking about security and TAKING ACTION TO
PREVENT FURTHER ABUSES will stop the next person.
The point was that constructive action is better than blaming everyone under
the sun (or Sun, as the case may be) for what happened. And some people
*still* haven't gotten the point yet.
+---------------
| That disgusting Weemba sent me e-mail, of his typically abusive kind,
| in which he denies that he said #2.
+---------------
You're disclosing the contents of email? (Paraphrased, but still not
proper.)
+---------------
| If you are correct in your assertion that he said (5), which is just
| a paraphrase of (2), then you have given me further evidence of his
| intellectual dishonesty.
+---------------
He said (not in so many words) the modified version of (5) above. He
expended quite a few classic tantrums on it, in fact; and I jumped into the
fray to try to rephrase them in a form acceptable to the rest of the world,
BECAUSE he had a good point.
And I think a distinction can be drawn between your #2 (which someone else,
I forget who, DID propose) and my #5 even though they start out the same
way: one is mindless flaming, the other offers an alternative and is
therefore constructive. (Constructive?! Will the world end? ;-)
+---------------
| Since I don't have his messages any more, I can't verify that this is
| true; do you have one of the messages where he said it, or failing
| that, do you recall who it is that was archiving the worm discussion?
+---------------
Ncoast had them until our news partition ran out of inodes and we had to
trash them to get inodes back (no, it ISN'T the System V Alzheimer's bug,
System III doesn't do inode caching of that sort).