brant@manta.UUCP (09/25/87)
To Lenny Tropiano: The Unix PC system was clearly designed for use in "non-hostile" environments, where the few security problems that exist (and there are others) are not important. However, there may be people on the net using these machines in environments where security is important, thus we are responsible for not putting those users in jeopardy. As a result, it's irresponsible to post articles giving exact directions for violating system security. Even if you're not personally affected, that doesn't give you the right to post (or encourage others to post) how-to's on system cracking. Your one thoughtless posting certainly did far more damage than good. -- Brant Cheikes ARPA: brant@linc.cis.upenn.edu UUCP: rutgers!cbmvax!cgh!manta!brant Department of Computer and Information Science / University of Pennsylvania
lenny@quincy.UUCP (09/27/87)
In article <149@manta.UUCP>, brant@manta.UUCP (Brant Cheikes) writes: > > The Unix PC system was clearly designed for use in "non-hostile" > environments, where the few security problems that exist (and there > are others) are not important. [...] Almost any environment given the correct circumstances can be "hostile." I wouldn't call displaying you Applications package at a show hostile, but given the person with the know-how... > However, there may be people on the net using these machines in > environments where security is important, thus we are responsible for > not putting those users in jeopardy. As a result, it's irresponsible > to post articles giving exact directions for violating system security. Brant, I was *NOT* giving the people the "DIRECTIONS" for HACKING a machine, on the contrary I was trying to help those people who are not experienced Administrators (especially those who took advantage to the "fire-sale" on 3B1's and know little about there hardware/software) to PROTECT their machine from possible illicit entry. Each and every "flaw" I detailed can be easily protected against with good adminstration. There are others that I know of that are a little more difficult, but nothing is IMPOSSIBLE. > Even if you're not personally affected, that doesn't give you the > right to post (or encourage others to post) how-to's on system cracking. > Your one thoughtless posting certainly did far more damage than good. Those people (me INCLUDED) that leave their machines connected to PHONE lines and are using Usenet HAVE TO BE AWARE of the possibility of problems, and ways to AVOID them. I wasn't "THOUGHTLESS" just CONCERNED! I would like to put my system up as a BBS someday (but I'm afaid of giving anyone SHELL- ACCESS)... The only way to make a totally secure (?) UNIX is do what Gould did ... make a filesystem (or directory) and chroot to it and only put what is necessary to SURVIVE without super-user priviledge. Again, Brant, I'm sorry if I upset you? But I have had very good response (mail-wise) for people who saw my article and thanked me for enlightening them! I'm sorry you weren't one of them. Lenny Tropiano ICUS Adminstrator ...quincy!icus!lenny -- Lenny Tropiano ...seismo!uunet!swlabs!godfre!quincy!lenny -or- American LP Systems, Inc. ...cmcl2!phri!gor!helm!quincy!lenny -or- 1777-18 Veterans Memorial Hwy. ...mtune!quincy!lenny -or Islandia, New York 11722 +1 516-582-5525 ...ihnp4!icus!quincy!lenny
karl@ddsw1.UUCP (Karl Denninger) (09/27/87)
In article <149@manta.UUCP> brant@manta.UUCP (Brant Cheikes) writes: >To Lenny Tropiano: > >The Unix PC system was clearly designed for use in "non-hostile" >environments, where the few security problems that exist (and there >are others) are not important. However, there may be people on the >net using these machines in environments where security is important, >thus we are responsible for not putting those users in jeopardy. As a >result, it's irresponsible to post articles giving exact directions >for violating system security. Even if you're not personally >affected, that doesn't give you the right to post (or encourage others >to post) how-to's on system cracking. Your one thoughtless posting >certainly did far more damage than good. I looked at this article a couple of times before responding, but couldn't help after close consideration... As a system administrator, responsible for our company system (which is open to the public as well on a limited basis), I sure as heck *do* appreciate postings like the one you have referenced. They serve a very useful purpose as far as I can see -- the 'holes' referenced were *very* simple to uncover, and could be used by nearly anyone. Anyone who really 'traffics' in this kind of information probably already has it -- but people like myself do NOT. And by depriving me of this information, you prevent me from defending against such an attack on my equipment. I'll take all the cards face up, please. Let me know where the holes are, and I'll evaluate how to deal with them in the context of my environment at my site. -- Karl Denninger UUCP : ...ihnp4!ddsw1!karl Macro Computer Solutions Dial : +1 (312) 566-8909 (300-1200) "Quality solutions at a fair price" Voice: +1 (312) 566-8910 (24 hrs)
rjk@mrstve.UUCP (Richard Kuhns) (09/28/87)
In article <149@manta.UUCP> brant@manta.UUCP (Brant Cheikes) writes: >To Lenny Tropiano: > >The Unix PC system was clearly designed for use in "non-hostile" >environments,... >...Even if you're not personally >affected, that doesn't give you the right to post (or encourage others >to post) how-to's on system cracking. Your one thoughtless posting >certainly did far more damage than good. >-- >Brant Cheikes >ARPA: brant@linc.cis.upenn.edu >UUCP: rutgers!cbmvax!cgh!manta!brant >Department of Computer and Information Science / University of Pennsylvania PLEASE don't listen to this person. Lenny pointed out a hole I hadn't noticed yet (we use 3b1s in a potentially hostile environment), which allowed me to plug it before it got used. Brant: `certainly' did more damage than good? Please tell us where you got your data. You definitely didn't ask me for input. I'd like to hear about other security holes I may not have noticed. Maybe I can't always do anything about it, but at least I'd have an idea on where to look. THIS IS FILLER FOR INEWS -- !pur-ee!pur-phy!mrstve!rjk Rich Kuhns {ihnp4, decvax, etc...} !itivax!mrstve!rjk
dave@arnold.UUCP (09/28/87)
In article <149@manta.UUCP>, brant@manta.UUCP (Brant Cheikes) writes: > As a result, it's irresponsible to post articles giving exact directions > for violating system security. Even if you're not personally > affected, that doesn't give you the right to post (or encourage others > to post) how-to's on system cracking. Your one thoughtless posting > certainly did far more damage than good. I disagree. Lenny's posting caused me to fix some holes on my system. And triggered some other security related questions that I am going to research. If I can't find the answer anywhere, I might post the question to unix-pc.general or comp.unix.questions. Have you read comp.os.vms recently? There has been alot of heated discussion about security holes. I beleive that unix-pc.general is a perfect place to discuss such issues since we are all unix-pc owner's. Signed, Dave "Please keep me informed on my security holes" Arnold. -- Name: Dave Arnold USmail: 26561 Fresno, Mission Viejo, Ca, 92691 USA DDD: Voice: +1 714 586 5894, Data: +1 714 458 6563 (nuucp) UUCP: ...!uunet!ccicpg!arnold!dave
lm@eta.ETA.COM (Larry McVoy) (09/29/87)
In article <149@manta.UUCP> brant@manta.UUCP (Brant Cheikes) writes: >result, it's irresponsible to post articles giving exact directions >for violating system security. Bullshit. The best way to make a system secure is to do exactly what the poster did: broadcast the information on how to break in. Then it is *your* problem as a systems administrator to fix it. Pretending that the problem doesn't exist, or worse yet - knowing that it does and ignoring it, is a lazy man's reaction. You ought to read the paper on Unix security. They say (probably more concisely) more or less the same thing I did. Have an open system and challenge people to break in. It's the quickest way to plug holes. -- Larry McVoy uucp: ...!{uiucuxc, rosevax, meccts, ihnp4!laidbak}!eta!lmcvoy arpa: eta!lmcvoy@uxc.cso.uiuc.edu
shap@sfsup.UUCP (J.S.Shapiro) (09/29/87)
In article <55@quincy.UUCP>, lenny@quincy.UUCP (Lenny Tropiano) writes: > In article <149@manta.UUCP>, brant@manta.UUCP (Brant Cheikes) writes: > > As a result, it's irresponsible > > to post articles giving exact directions for violating system security. > > Brant, I was *NOT* giving the people the "DIRECTIONS" for HACKING a machine, > ... This topic was discussed to death in unix-wizards many years ago. The resolution for that environment was that they created a mailing list of system administrators rather than post things to the net. In the UNIX PC domain this doesn't apply, as every owner is, like it or not, an administrator. As such, it makes sense to post things here. If in fact people object enough to needing to work so hard to keep their Personal Computers safe, I hope that they will all object *loudly* to their sales reps/vendors, with *examples* so that we can get the right high level people here at AT&T to agree that UNIX administration is worth throwing more money at. Sigh. Jon Shapiro AT&T Information Systems
scott@zorch.UU.NET (Scott Hazen Mueller) (09/29/87)
In article <209@ddsw1.UUCP> karl@ddsw1.UUCP (Karl Denninger) writes: >In article <149@manta.UUCP> brant@manta.UUCP (Brant Cheikes) writes: >>[Flame deleted] > >[Counter-flame also deleted] Emotionalism aside, the basic point that Karl and Brant collectively made is that it *is* important for those of us who are (now, after the fire sale :-) sysadmins to have this information, but it is irresponsible to just randomly toss it around for all to see. Suggestion: the larger Usenet around us has a security mailing list, that is moderated and is joined by mailing a request from the root account of each given machine. Surely this is trivial to implement, and is nowhere near as open as even a moderated group. I'm willing to support this from my machine; it won't be blindingly fast, but I am connected to uunet and talk to it twice daily. Mail me if you are interested. I know that *I* want to know about these holes. \scott -- Scott Hazen Mueller ( near_me ? lll-crg!csustan!helium : uunet )!zorch!scott (209) 527-1203
ignatz@chinet.UUCP (09/29/87)
Brent Cheikes criticized Lenny Tropiano's posting of security holes on the Unix/PC (3B1, etc.) in the referenced article; as both another individual and Lenny have defended the posting item-by-item, I won't go into that here. But I would like to point out that, in general usage, Lenny's posting is quite proper. If you find that some people always leave the keys in their unlocked cars, you buy public service time and have one of those "Take a *chomp* bite out of crime!" commercials. If you discover that any person can calculate the last digits of the telephone company credit card by a simple algorithm, you don't responsibly publish the fact until the algorithm has been changed and new cards issued. In the latter case, "phone phreaks" may publish the algorithm, but responsible individuals neither do so nor perpetuate the handout. Sound familiar? Both are "real world" security situations that have really occurred. In both cases, the operative definition of proper behavior was whether the knowledge of the security hole also included the information necessary to close it, and the person at risk had the means to easily do so. Start locking your car, and take the keys. Ok, simple enough. But you couldn't re-issue your telephone card number; at best, you could cancel it. As another example, fixable security holes have been publicized in such publications as Unix Review. So it is in this case. In all of the security issues Lenny mentioned, there was also a simple fix provided that anyone--with or without a development system--could apply. And there are security holes that are known among those of us who worry about such things, but can't be reasonably fixed without kernel or utility source. *These* do not make it on the net; if they do, they fall under the purview of criticism such as Brent's. I might point out that a common practice in the past was, if you *did* find a security hole that wasn't fixable, the fact that you knew of such a problem might be posted, along with offers to legitimate SA's to snail-mail the problem (and any workarounds, or at least detection methods), if they could prove their legitimacy. When most Unix systems were owned/operated by companies, this was relatively easy--mail a copy of your site license agreement, and/or a note on company letterhead. It's a bit more difficult now, but can still work. Common sense--or, if you will, proper application of "fuzzy logic"--should prevail in deciding what to post, and what to hint at... Dave Ihnat Analysts International Corporation ihnp4!homebru!ignatz || aicchi!ignatz || chinet!ignatz (w) (312) 882-4673 (h) (312) 784-4544 -- Dave Ihnat ihnp4!homebru!ignatz || ihnp4!chinet!ignatz (w) (312) 882-4673
ken@braegen.UUCP (Ken Marchant) (09/29/87)
> As a result, it's irresponsible to post articles giving exact directions > for violating system security. Even if you're not personally > affected, that doesn't give you the right to post (or encourage others > to post) how-to's on system cracking. Your one thoughtless posting > certainly did far more damage than good. > -- > Brant Cheikes > ARPA: brant@linc.cis.upenn.edu > UUCP: rutgers!cbmvax!cgh!manta!brant > Department of Computer and Information Science / University of Pennsylvania No. No. No. No.!!! Often those of us using these systems in "hostile" environments are not sufficiently adept at determining security holes. If people out there on the net have found holes then you can be damn sure that malicious users in "hostile" environments will. The responsibility lies in making as many administrators as possible aware of security problems. The analogy is not telling people to use deadbolt locks and keep property well lit around their homes because we might be telling burglars how to break in. The demonstrated fact is that if there's a way in then people who want to will find it. In fact one might wonder if Mr. Cheikes is not some interloper whose favourite hole has now been exposed.:-) -- Ken Marchant The Braegen Group, Toronto, Ontario (allegra,linus,ihnp4,decvax)!mnetor!yetti!geac!braegen!ken
kathy@bakerst.UUCP (09/30/87)
In article <8700178@eta.ETA.COM> lm@eta.UUCP (Larry McVoy) writes: > >The best way to make a system secure is to do exactly what the >poster did: broadcast the information on how to break in. Then it is >*your* problem as a systems administrator to fix it. Lenny said his purpose in posting was to help inexperienced, novice UNIX pc administrators find holes and protect their machines against those holes. Sounds good to me. He says he didn't post directions. (They look like directions to me in two cases out of three, but, hey, I won't quibble.) He also says the holes he mentioned can be easily protected against with good administration. But he doesn't go into any details as to what, exactly, that easy protection and good administration might be. So he helped find a few holes, but he didn't necessarily help anyone protect against those holes. I want to know about holes, too - agreed. Seems to me, though, that, if you really want to be helpful, and if fixes and/or workarounds and/or protections against those holes are really all that simple - and especially if you're especially concerned about inexperienced administrators who may be unfamilar with their hardware and/or software (which is, again, what Lenny said he was concerned about) - then you post fixes or workarounds or administration tips, too, in addition to the holes themselves. That would help people who may not yet have the experience or know-how to follow *your* dictum: "Then it is *your* problem as a systems administrator to fix it." I personally had mixed feelings about the original posting. I've been a little irritated by postings of other people that say, in effect, "There's a TERRIBLE SECURITY HOLE in this machine - but I won't tell you what it is," so I'm left with all these Vague Feelings of Dread about what kinds of gaping holes there are that I don't know about and wouldn't even know to look for, much less how to guard against - but at least I could hope that knowledge about the holes was relatively confined. (Hey, I said I could *hope* :-) I had something of Brant's reaction to Lenny's posting - but I was also interested in seeing the specifics posted for a change, so at least I have some idea where the problem is. Kathy Vincent ------> Home: {ihnp4|mtune|codas|ptsfa}!bakerst!kathy ------> AT&T: {ihnp4|mtune|burl}!wrcola!kathy
rich@oxtrap.UUCP (K. Richard Magill) (10/10/87)
This issue has also been discussed in the risks forum, the ACM, the arpa net etc, the most recent vote I've seen held the majority, (~60-40), to feel that publicizing holes is better for the lock-ers than for the lock-breakers. The theory is similar to the handgun discussion, (NO FLAMES NO FOLOWUPS ON HANDGUNS!), that the criminals WILL have the tools and that the black-market will propogate them, so its best if we arm the good guys the best we can. In other words, Brant's work has made my 3b1 more than twice as useful as it started out, but in this case I, and usually the majority, dis-agree with him. xoxorich. ps, I seem to have lost Brant's gnu-keymaps. Can someone send them to me again?