al@mot.UUCP (Al Filipski) (03/01/85)
A co-worker and I here have written a paper on "UNIX Security".
We describe the security features of UNIX, the most well-known
ways of breaking in, and countermeasures to be taken against
those who try to break in. The article is similar to the BSTJ
article which appeared just after we had written ours. We submitted
our article to a major popular computer magazine. The editor is
uncertain about possible legal liability should anyone use information
in the article towards illegal ends. I do not know at this point if
it will be published or not. I'd like to poll the wizards on this point:
Is free circulation of this kind of information a good or bad thing?
I tend to belong to the free-speech school that says that
dissemination of knowledge is a good thing and will strengthen UNIX
security in the long run. For one thing, a problem stands a much
better chance of being fixed if it is well-known. Second, with
the proliferation of UNIX, there are a great many inexperienced
administrators out there who are sitting ducks. They are often not
hackers themselves and are at a disadvantage against people
who have taken the time and energy to learn security by poking
around themselves.
Experiences, opinions, facts, arguments, flames, etc. are requested
via mail and will be summarized.
--------------------------------
Alan Filipski, UNIX group, Motorola Microsystems, Tempe, AZ U.S.A
{allegra | ihnp4 } ! sftig ! mot ! al
{seismo | ihnp4 } ! ut-sally ! oakhill ! mot ! al
--------------------------------
If not now - whom? If not me - when?al@mot.UUCP (Al Filipski) (03/28/85)
A few weeks ago, I posted the following: > A co-worker and I here have written a paper on "UNIX Security". > We describe the security features of UNIX, the most well-known > ways of breaking in, and countermeasures to be taken against > those who try to break in. The article is similar to the BSTJ > article which appeared just after we had written ours. We submitted > our article to a major popular computer magazine. The editor is > uncertain about possible legal liability should anyone use information > in the article towards illegal ends. I do not know at this point if > it will be published or not. I'd like to poll the wizards on this point: > Is free circulation of this kind of information a good or bad thing? > I tend to belong to the free-speech school that says that > dissemination of knowledge is a good thing and will strengthen UNIX > security in the long run. For one thing, a problem stands a much > better chance of being fixed if it is well-known. Second, with > the proliferation of UNIX, there are a great many inexperienced > administrators out there who are sitting ducks. They are often not > hackers themselves and are at a disadvantage against people > who have taken the time and energy to learn security by poking > around themselves. > > Experiences, opinions, facts, arguments, flames, etc. are requested > via mail and will be summarized. It generated many responses. 31 people said "publish", unequivocally. 8 people said that publication would generally be a good idea, but they had some reservations: typical comments by this latter group were "make sure system administrators see it first", "give generalities, not specifics", "don't expose things that binary-only sites couldn't do anything about", "don't expose major holes". 8 people said not to publish, or to publish only to system administrators somehow. I got a lot of legal advice about whether I would be sued or not and many requests for copies of the paper. Well, it looks like BYTE is going to publish the article in a few months. It's really a pretty innocuous article. The things discussed are pretty well-known and I removed some detail from the description of some methods, such as the way of exploiting "local mode" on the other fellow's terminal to buffer up your own commands. I tried to give enough information so that someone would know what to guard against and how, but not to make it easy for the bad guy. When the article is published, I expect to get half a boatload of mail saying we gave away the store and another half boatload saying the article was trivial and incomplete. It IS incomplete. I thought of more things to say as I was mailing it off. It's a start, though. As promised, a few selected comments follow: --------------------------------- Hackers and other criminals already know many of the ways to break into systems. Only by making administrators aware of these things can the overall security level of systems be improved. Publish! --------------------------------- Well, you can be sure that the criminals know about the holes and the good guys don't care. The only people you'll help are non-wizard Unix system owners (a growing population) and pimply-faced assholes with a modem. An interesting ethical problem. Good luck. --------------------------------- Please please do. Tell everyone about them and that way if you don't fix the hole it's your own damn fault when someone uses it. --------------------------------- I think it is good to publicize security problems, but the way you do so is important. In the magazine article, try not to give the reader a cookbook for breaking security. In other words, it is all right to say: One of the simplest ways to break security is to find the passwords of legitimate users. On most systems, a high percentage of the users will have passwords that are in the dictionary... This will get your point across without giving people who don't know anything about unix other than how to break in, another tool to use. You should not include something like the following in your article. Below is a program which can be used to crack passwords on a Unix system. main(argc,argv) char *argv[]; ... This is especially true for the kmem hacks. You may mention that on many systems, kernel memory is readable, but don't include the program to spy on other peoples input buffers. . . . . . . --------------------------------- Although your article may cause many Unix system administrators to squirm in their seats, I think it should be published. --------------------------------- In general I am an advocate of exposing bugs to get them fixed, but have some reservations on that view. For example, I know of a major security bug in 4.2 which requires kernel modifications. I'd really like to circulate it -- but it is also a bug in Ultrix, which is binary only and poor Ultrix system managers will promptly find out that there is a major hole they cannot plug, but cannot live with either! --------------------------------- I say print it and the hell with the flames... --------------------------------- I, for one, would like to see a good paper on Unix security published in a major popular computer magazine for a number of reasons, most of which Bob and I mentioned in the introduction to our BLTJ paper. Good luck getting it published, and please aim me at it when it comes out. Fred Grampp research!ftg --------------------------------- 1. Other things equal, publish. I think you should publish as much as you know. I agree with you that it is best in the long run for UNIX if this information is publicised, even if it might cause temporary embarassment to a few systems administrators, and so on. UNIX security is pretty bad and the manual promises just enough token security (what with all that rwx--x--x, etc) to lull the naive into a false sense of safety. 2. Publishing is probably legal. You should see a lawyer about this: it will, at least, put spine into your magazine editor. I am not a lawyer. But I read netnews, so here goes, . . . . . . . . . --------------------------------- I don't think it's a good idea to publicize security-related bugs. I agree that dissemination of knowledge is in general a good thing, but the sad fact is that just communicating a fact doesn't guarantee that the fact is acted upon instantly. . . . . . . . . . To sum up, publicizing security-related bugs _to_the_wrong_people_ is very bad. You have to make sure that they're all people who deserve to know about the bug, i.e. system administrators and Nice Guys. I'd sure be interested in getting a copy of your paper, but if "mot" were a binaries-only site, would you trust me with it? Heh, heh, heh ;-). --------------------------------- I think that you will be sued, or your publisher will, if the article is published. I think that this is unfortunate. It is better to make these things known -- but do you really want the hassle of beign sued? --------------------------------- I cannot advise on the legal aspects, but I do agree with with the position taken by Robert Morris+Ken Thompson in their password security paper: We did not attempt to hide the security aspects of the operating system, thereby playing the customary make-believe game in which weaknesses of the system are not discussed no matter how apparent. --------------------------------- Yes, do every thing you can to get the stuff published. If you can't get it published, put it on the net. If you can't put it on the net ... mail me a copy. --------------------------------- Having previous experience with "hackers" in the media sense of the word I would be opposed to publication of such information. If the hackers would have had such information they could have done a great deal of damage. Any of the recent items posted to the net about security should be kept as secret as possible. There are *MANY* site with *BINARY ONLY* that can't fix the bugs even if they know of them. Common knowledge of these holes would be disasterous for them. Locksmiths are not allowed to publish arbitrary pieces of information. --------------------------------- Knowledge of known problems should be disseminated so that it can be fixed! --------------------------------- I read your article in net.unix and am quite interested, since I have done research in the area of computer hacking (I also assist in a course on computer crime taught here at the U. of Pittsburgh). I do not think that it is too dangerous to publish such information, since anyone who wants to learn about breaking into computer systems just has to subscribe to TAP newsletter (if they're still in existance). When hackers find such information on their own, it usually travels fast, via computer bulletin boards set up for the exchange of hacking information (such as Pirates' Cove BBS in N.Y.). Also, the journal you may be publishing your article in is probably going to be read mostly by system administrators or respectable programmers. The few that MAY read your information and use it to break into a system will find out anyway, and that is the price we pay for freedom of informa- tion (one I'm glad to). --------------------------------- I am not a serious hacker. I do administer a UN*X system for use by some folks, but that is only a part of my job. I, for one, would benefit greatly by having a list of what loopholes to plug. Things that are common knowledge are not a threat, things that are known to a few would be a big threat to me as I don't have the time to find them. I vote for publish. --------------------------------- The plus side might be that hackers poking for the fun of it, who aren't naturally malicious, would be less likely to do accidental damage. This isn't a small thing. --------------------------------- I strongly urge you to publish. I am frankly astonished at the widespread ostrich-like attitude of many system administrators who post to the net, as if all the problems will go away if we just don't talk about them. Penetration analyses of other operating systems appear in the literature often--just look at SIGOP's journal--apparently without major fuss. --------------------------------- I believe that security problems should be openly discussed. The best way to make sure a naive administrator knows what his hackers are doing is to discuss it in open forum. This will probably lead to a sporadic attempts by the less sophisicated to crack security, but it's a good object lesson for all involved. The advanced users already know this stuff. This should also put more pressure on the system vendors to do it right. Nothing like a thousand binary only customers full of righteous anger. If you start a mailing list, or are interested in distributing your paper please let us know. --------------------------------- Anthony, My immediate reaction, which I am sure is no surprise to you, is to not publish it in the magazine unless it is thoroughly sanitized. A question that comes to mind is what group of folks do you want to recognize you as a Unix security guru? If it is the Unix hackers, then it the magazine will acheive this. If it is the security faction, then the security forum is the place. I beleive in free speech also, and have been burned by not being able to publish exciting results because they are sensitive. Or worse yet having to change the exciting results to a releasable form that begs the issue. This what happened with my covert channel analysis stuff. The risk of publishing it in the magazine is getting labeled as irresponsible (I dont mean this the way it sounds, but have tried to write this sentence numerous times and can not do better.). It is definitely time for us to go get a beer and talk some things over. --------------------------------- Philosophically, I'm of the opinion that security problems should be published as widely and as publically as possible. I think the only way vendors will ever be convinced they should fix security problems is for enough people [who care about security - a lot don't] to scream at them; the only way people will ever learn what to scream about is for people who know what the problems are to tell them. On a practical level, however, people who do publish such things widely tend to get a lot of flack. --------------------------------- I agree. Publish it all. This makes things better. I am sure that malicious hacker types cringe everytime they see another one of "their secrets" made known to all of their potential victims. --------------------------------- I think you are fairly safe in publishing it, but I'm no lawyer. The original UNIX Security papers appear in the UNIX manual sets, and they haven't been sued over it... ============================================================================== -------------------------------- Alan Filipski, UNIX group, Motorola Microsystems, Tempe, AZ U.S.A {allegra | ihnp4 } ! sftig ! mot ! al {seismo | ihnp4 } ! ut-sally ! oakhill ! mot ! al -------------------------------- If not now - whom? If not me - when?