karl@polyof.poly.edu (A1 karl muhlbach (staff) ) (12/12/89)
Dear All: I am a senior at Polytechnic University in Farmingdale N.Y. and I am working on a senior project concerning Unix System Security. The project will consist of a program that will traverse the file system checking for various security flaws and/or actual violations in security. I plan on checking for things like excessive SUID and GUID settings, ln's to user directories etc.. I also heard that there are a great deal of flaws with mail and UUCP. My problem is as follows. I need to gather together as much information as possible of the various areas of the Unix Operating System security flaws. I need this information to decide the areas of concentration that I will embark on. I realize that no one would and/or could tell me the specific flaws that exist, after all you don't know whether I am a "good guy" or "bad guy". Let me assure you all that my intentions are quite honorable and that you will have to take my word as a gentlemen. I would appreciate any information of the various flawed security areas of Unix and/or leads as to where I might find out these things. I have a book called "Unix System Security" by Patrick Wood but that only covers basic minor flaws. I would like to make this program as elaborate as possible. I WOULD APPRECIATE ANY CORRESPONDENCE CONCERNING THIS MATTER TO BE SENT VIA EMAIL TO THE ABOVE ADDRESS SINCE IT WOULD ASSURE ME A QUICKER RETURN AND SINCE I AM NOT ALWAYS ABLE TO CHECK THE NETWORK FOR REPLIES. THANK YOU IN ADVANCE FOR ALL YOUR TIME AND EFFORT IN MY BEHALF. Sincerely, Karl M.
tgg@otter.hpl.hp.com (Tom Gardner) (12/12/89)
Posting details of known UNIX security holes to the net is a *very* bad idea; I hope the reasons are obvious. This argument can be extended to e-mail: is it wise to e-mail security holes to someone you don't know? This is a general comment that is not" aimed" at any individual. tom gardner
peter@ficc.uu.net (Peter da Silva) (12/13/89)
I can understand people asking IBM-PC specific questions here. The PC group is noisy and there's no pc.tech group. I can understand discussions veering off to operating systems. But why on earth would you post an article that fits best into comp.unix.*, comp.security, and the UNIX Security mailing list to comp.lang.c. -- `-_-' Peter da Silva. +1 713 274 5180. <peter@ficc.uu.net>. 'U` Also <peter@ficc.lonestar.org> or <peter@sugar.lonestar.org>. "It was just dumb luck that Unix managed to break through the Stupidity Barrier and become popular in spite of its inherent elegance." -- gavin@krypton.sgi.com
bph@buengc.BU.EDU (Blair P. Houghton) (12/14/89)
In article <7276@ficc.uu.net> peter@ficc.uu.net (Peter da Silva) writes: >I can understand people asking IBM-PC specific questions here. The PC >group is noisy and there's no pc.tech group. > >I can understand discussions veering off to operating systems. > >But why on earth would you post an article that fits best into comp.unix.*, >comp.security, and the UNIX Security mailing list to comp.lang.c. Can you say 'gets()'? --Blair "I knew that you could."
CCDN@levels.sait.edu.au (david newall) (12/25/89)
tgg@otter.hpl.hp.com (Tom Gardner) writes: > Posting details of known UNIX security holes to the net is a *very* bad idea; > I hope the reasons are obvious. Do you suggest that the bad people won't find out about security holes if those holes aren't published? So naive... Personally I wish to hear about problems as soon as possible; so they can be fixed. What would *you* suggest is the best way of securing Unix? David Newall Phone: +61 8 343 3160 Unix Systems Programmer Fax: +61 8 349 6939 Academic Computing Service E-mail: ccdn@levels.sait.oz.au SA Institute of Technology Post: The Levels, South Australia, 5095
tgg@otter.hpl.hp.com (Tom Gardner) (01/11/90)
David Newall Phone: +61 8 343 3160 Unix Systems Programmer Fax: +61 8 349 6939 Academic Computing Service E-mail: ccdn@levels.sait.oz.au SA Institute of Technology Post: The Levels, South Australia, 5095 writes: >>tgg@otter.hpl.hp.com (Tom Gardner) writes: >> Posting details of known UNIX security holes to the net is a *very* bad idea; >> I hope the reasons are obvious. >Do you suggest that the bad people won't find out about security holes if >those holes aren't published? So naive... Please reread my posting; I implied no such thing. To use an analogy of dubious validity, gun control does not prevent murder, but it does reduce the problem (is that a sufficiently contentious statement? ;-} ). >Personally I wish to hear about problems as soon as possible; so they can be >fixed. What would *you* suggest is the best way of securing Unix? Sorry, my magic wand is fresh out of twinkle dust today... ;) I want to hear about *fixes* as quickly as possible. The original posting could have resulted in details of *open* holes being widely circulated and read by persons of unknown responsibility; I hope you would agree that would be unwise. As to how to get Unix holes plugged: there are a number of conflicting approaches each of which has advantages and disadvantages, and I have no intention of proposing The Answer (tm). What is your Answer?
CCDN@levels.sait.edu.au (david newall) (01/15/90)
tgg@otter.hpl.hp.com (Tom Gardner) writes: > I want to hear about *fixes* [ to security holes ] as quickly as possible. > The original posting could have resulted in details of *open* holes being > widely circulated and read by persons of unknown responsibility; I hope you > would agree that would be unwise. I want security holes fixed as quickly as possible. Sitting quietly, waiting for fixes, does little to add urgency to such problems. The recent internet worm, which took advantage of a number of long standing security holes, serves as a fine example of how these issues can be ignored. Despite the fact that these were "well known" security problems, nothing had been done to correct the situation. I am grateful to the author, or authors, of the internet worm. They brought to the attention of the world, these rather obvious problems, and in such a way that the problems were fixed, and were fixed quickly. Never the less, the legal ramifications of the worm are likely to deter anyone else from using a similar technique to advertise security holes. Perhaps the author (or authors) might have served their purpose better by posting the program, not running it? David Newall Phone: +61 8 343 3160 Unix Systems Programmer Fax: +61 8 349 6939 Academic Computing Service E-mail: ccdn@levels.sait.oz.au SA Institute of Technology Post: The Levels, South Australia, 5095
chris@mimsy.umd.edu (Chris Torek) (01/17/90)
(NB: this does not belong in comp.lang.c) In article <6354@levels.sait.edu.au> CCDN@levels.sait.edu.au (david newall) writes: >The recent internet worm, which took advantage of a number of long standing >security holes, serves as a fine example of how these issues can be ignored. >Despite the fact that these were "well known" security problems, nothing had >been done to correct the situation. Despite the fact that people keep claiming that the finger bug and the sendmail `debug' bug were well known, nothing had ever been reported of them. If anyone knew of these bugs, it did not include those responsible for maintaining the software. -- In-Real-Life: Chris Torek, Univ of MD Comp Sci Dept (+1 301 454 7163) Domain: chris@cs.umd.edu Path: uunet!mimsy!chris
bph@buengc.BU.EDU (Blair P. Houghton) (01/18/90)
In article <21880@mimsy.umd.edu> chris@mimsy.umd.edu (Chris Torek) writes: >(NB: this does not belong in comp.lang.c) Point taken. Go look in misc.legal. More facts available. --Blair "Sounds like a Romanian press release.."