papa@pollux.usc.edu (Marco Papa) (11/07/88)
In article <2954@sugar.uu.net> peter@sugar.uu.net (Peter da Silva) writes: >In article <13232@oberon.USC.EDU>, papa@pollux.usc.edu (Marco Papa) writes: >> This is dedicated to all the guys that claimed that "UNIX is much more >> secure than the Amiga" with regard to viruses. >> -- Marco Papa 'Doc' > >You claiming responsibility, Marco? (not serious here, folks) I am not claiming anything. A "dedication" is a dedication, that's it. >First of all, the channel of infection is a gaping hole in sendmail that >isn't typical of UNIX mail systems. It din't use just a hole in BSD sendmail, but also a hole in fingerd and included a very knowledgeable password guessing program, all put together. The password guessing program is general purpose, not BSD dependednt. If changed just a little bit, it could have been almost undetectable, and if it had ben changed just a little more, it could have been devastating. >Finally, the virus was way more complex than any PC or Amiga virus needs to be. >The typical PC or Amiga virus is a couple of hundred bytes long... and it's >got complete access to the whole system... on any PC. This virus had a couple >of hundred lines of prelude code, and was only able to infect a small fraction ^^^^^ >of the machines available to them... Tell that to the people at Stanford, with (over 2000 machines infected) or to the folks at CalTech, UCLA, USC, Berkeley, MIT, Lawrence Livermore, which have had similar numbers of machines infected. The latest count is that over 6000 UNIX BSD hosts have been infected. People have stayed up for 2 nights all over the US to "manually" eradicate all the instances of the virus and many are still at work on it right at this moment. Try to guess how much money was lost in man-hours (and this was fortunately a "sort of benign" virus). > and a simple reboot would clear it out. ^^^^^^^^^^^^^ Bullshit! Get your facts. Read ...43-bugs or whatever that usergroup is called for the details on how to kill the virus once and for all. >I'm not saying, and I've never said, that UNIX is uninfectable. Just that it's >a LOT harder to build a sucessful virus... that wouldn't be as sucessful as a >simpler virus on an unprotected single-use system. This one is everything >I've claimed a UNIX virus would be: highly complex, relatively limited in >scope, easily killed and guarded against. ^^^^^^^^^^^^^ "Easily" killed doesn't mean much. I can assure you that in $$$$$, this virus was much more costly that ANY of the Amiga viruses combined. And as you probably know, a student at Cornell did this one. Just wait until organized crime gets into this business. >I expect there will be more. I don't expect anything as virulent as the Byte ^^^^^^^^ >Bandit or Brain virus. You ain't seen nothing, yet. Good luck on your dreams. -- Marco Papa 'Doc' -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= uucp:...!pollux!papa BIX:papa ARPAnet:pollux!papa@oberon.usc.edu "There's Alpha, Beta, Gamma and Diga!" -- Leo Schwab [quoting Rick Unland] -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
peter@sugar.uu.net (Peter da Silva) (11/07/88)
In article <13280@oberon.USC.EDU>, papa@pollux.usc.edu (Marco Papa) writes: > In article <2954@sugar.uu.net> peter@sugar.uu.net (Peter da Silva) writes: > >First of all, the channel of infection is a gaping hole in sendmail that > >isn't typical of UNIX mail systems. > It din't use just a hole in BSD sendmail, but also a hole in fingerd and > included a very knowledgeable password guessing program, all put together. Without the bug in sendmail it wouldn't have a foothold for further infection. Besides, "fingerd" is another BSD program. I presume it's a server to support remote user lookup (my BSD manual is an OLD 4.2 one, and there's nothing between fastboot and ftpd). Another case of BSD's priorities in the convenience-vs-security spectrum. > >The typical PC or Amiga virus is a couple of hundred bytes long... and it's > >got complete access to the whole system... on any PC. This virus had a couple > >of hundred lines of prelude code, and was only able to infect a small > >fraction of the machines available to them... > Tell that to the people at Stanford, with (over 2000 machines infected) or > to the folks at CalTech, UCLA, USC, Berkeley, MIT, Lawrence Livermore, which > have had similar numbers of machines infected. The latest count is that over > 6000 UNIX BSD hosts have been infected. 6000 VAX or Sun-3 UNIX hosts whose administrators and users have agreed among themselves to allow an extraordinary amount of interconnectivity. Given that most of these hosts are workstations, that's a tiny fraction of the machines available to the virus. > People have stayed up for 2 nights all over the US to "manually" eradicate > all the instances of the virus and many are still at work on it right at > this moment. Try to guess how much money was lost in man-hours (and this > was fortunately a "sort of benign" virus). They left themselves open to this attack. This isn't a UNIX problem. This is a political problem. They decided to go for convenience instead of security, depending on goodwill and the threat of sanctions to keep people in line. I suspect that even with this attack it's a good balance for their environment. The man-hours that would have been lost to general hassles over the years if these features hadn't been available probably counterbalance the time spent tracking this sucker down. The virus was tracked to its source in a matter of hours. Even the much more virulent worms that abound in the PC world (more evidence, if any is needed, for the greater susceptibility of unprotected single-user systems) are tracked to their source within weeks. If someone had actually put a *real* virus in the net they'd be hit so hard with so many charges and ill-will they'd never get a job in this business again. > > and a simple reboot would clear it out. > ^^^^^^^^^^^^^ > Bullshit! Get your facts. Read ...43-bugs or whatever that usergroup is called > for the details on how to kill the virus once and for all. If it's not executing, it's cleared out. All that's left is a handful of files in temp, and some orphan inodes. Even if you leave them there you're safe. You can get re-infected if you re-connect to the net after the reboot without clearing up the holes that left you open in the first place. But that's rather like expecting penicillin to keep you from ever catching clap again... And using obscenities in a public message is not generally considered appropriate behaviour. Are you trying for weembadom? > >I'm not saying, and I've never said, that UNIX is uninfectable. Just that > >it's a LOT harder to build a sucessful virus... that wouldn't be as > >sucessful as a simpler virus on an unprotected single-use system. This one > >is everything I've claimed a UNIX virus would be: highly complex, > >relatively limited in scope, easily killed and guarded against. > ^^^^^^^^^^^^^ > "Easily" killed doesn't mean much. Sure it does. If this had been a really tough virus, like the ones that hide in utilities and system files on PCs, the Internet would still be down. > I can assure you that in $$$$$, this > virus was much more costly that ANY of the Amiga viruses combined. In dollars? If the result is a little tightening of internet security this virus will have had a positive dollar value. Let's look at a typical PC virus. Let's look at the IBM PC world, where viruses are more common. To the individuals involved, the Internet virus cost a couple of nights sleep and a day's work. People with PCs have lost days or weeks of valuable work when their files were eaten by a virus. I need more than just your assurances that the total cost in grad-student-hours is greater than the cost in real-productive-work lost to, say, the Israeli virus or the Brain virus. I suspect that the cost of a program like "Rogue", in grad-student-hours, is far greater than this little mishap. > And > as you probably know, a student at Cornell did this one. Just wait until > organized crime gets into this business. If they do, they'll be using grad students from Cornell and Berkeley and other places where BSD is popular to do the dirty work. > >I expect there will be more. I don't expect anything as virulent as the Byte > ^^^^^^^^ > >Bandit or Brain virus. > You ain't seen nothing, yet. Good luck on your dreams. I've seen things you people can't possibly imagine. Didn't you bother to read my pseudo-prophetic "Usenet Virus" article? Oh, of course you did... as I recall you credited me with independently reproducing the work of some big shot professor of yours. Oh, speaking of ftpd: From the 4.2BSD manual, 4 March 1983... in the BUGS section: "The anonymous account is inherently dangerous and should be avoided when possible" [ you're still allowing anonymous ftp, no? ] Let's look at rexecd. BUGS: "Indicating 'login incorrect' as opposed to 'password incorrect' is a security breach which allows people to probe a system for users with null passwords" [or, presumably, for people with passwords in a list they're carrying around] rlogind and rshd. BUGS: "The authentication procedure used here assumes the integrity of each client machine and the connecting medium. This is insecure, but useful in an 'open' environment" Not only security holes, but *documented* as such! For completeness, let's have a look at... sendmail. This isn't in the BUGS section, but the implications are amazing: "Any address passing through the initial parsing algorithm as a local address ... is scanned for two special cases. If prefixed by a vertical bar ('|') the rest of the address is processed as a shell command..." That was 5 years ago. You people never learn. -- Peter da Silva `-_-' peter@sugar.uu.net Have you hugged U your wolf today? Disclaimer: My typos are my own damn business.
pa1590@sdcc15.ucsd.edu (pa1590) (11/08/88)
In article <13280@oberon.USC.EDU> papa@pollux.usc.edu (Marco Papa) writes: >In article <29 (Marco and Peter are conversing...) >>The typical PC or Amiga virus is a couple of hundred bytes long... and it's >>got complete access to the whole system... on any PC. This virus had a couple >>of hundred lines of prelude code, and was only able to infect a small fraction ^^^^^ >>of the machines available to them... > >Tell that to the people at Stanford, with (over 2000 machines infected) or >to the folks at CalTech, UCLA, USC, Berkeley, MIT, Lawrence Livermore, which >have had similar numbers of machines infected. The latest count is that over >6000 UNIX BSD hosts have been infected. Or we folks at UCSD, with at least a dozen machines infected. Of course, with the load on the undergraduate computers, I couldn't really tell the difference. According to the LA Times, over 70,000 machines caught it. >People have stayed up for 2 nights all over the US to "manually" eradicate >all the instances of the virus and many are still at work on it right at >this moment. Try to guess how much money was lost in man-hours (and this >was fortunately a "sort of benign" virus). And don't forget all the money spent to send this discussion around the world, eh? 8-) >You ain't seen nothing, yet. Good luck on your dreams. >-- Marco Papa 'Doc' -- Stephen Hartford shartford@ucsd SDAUG Hotline (619) 221-7168 San Diego Amiga Users Group P.O.Box 80186, San Diego, CA 92138-0186
dillon@POSTGRES.BERKELEY.EDU (Matt Dillon) (11/08/88)
Peter da Silva `-_-' peter@sugar.uu.net Writes: >They left themselves open to this attack. This isn't a UNIX problem. This is >a political problem. They decided to go for convenience instead of security, >depending on goodwill and the threat of sanctions to keep people in line. I >suspect that even with this attack it's a good balance for their environment. >The man-hours that would have been lost to general hassles over the years >if these features hadn't been available probably counterbalance the time >spent tracking this sucker down. No we didn't. This *IS* a UNIX problem. This is NOT a political problem (when are pirates&relations ever political?). Do you think that the mere half dozen items you cited are the entire list? Those items are, in fact, the best protected of the lot and STILL have holes. There are many dozens of holes in the UNIX OS and most of them have nothing to do with networking. Threat of sanctions to keep people in line? Hah! >The virus was tracked to its source in a matter of hours. Even the much more >virulent worms that abound in the PC world (more evidence, if any is needed, No it wasn't. Somebody squeeled and somebody else got lucky. Oh sure, they knew the general area, but that was only because the worm was apparently tested a couple weeks before release. Theoretically you would be able to trace it down to the local net using the sendmail log, but many machines either have it turned off or only log a day or two. >the net they'd be hit so hard with so many charges and ill-will they'd never >get a job in this business again. Nope, wrong. Just about everybody agrees that we were lucky. It is very, very easy to break into somebody (possibly non-local-machine's) account and start your virus from there, in which case the trace stops at a deadend. With real time access to 6000 machines, one simply tries to break into, say, 20 at a time (in parallel), never repeating a machine at intervals more than, say, a week. Nobody would notice. Anybody who intended to introduce a real virus wouldn't have much of a problem. Infiltration by password breaking and .rhosts is absurdly simple. Telnet'ing to other machines or simply phoning them via tip (try to trace that!) and breaking passwords would certainly cause havoc, especially if you took pains to make the virus undetectable. -Matt
papa@pollux.usc.edu (Marco Papa) (11/09/88)
In article <2965@sugar.uu.net> peter@sugar.uu.net (Peter da Silva) writes: >In article <13280@oberon.USC.EDU>, papa@pollux.usc.edu (Marco Papa) writes: >> In article <2954@sugar.uu.net> peter@sugar.uu.net (Peter da Silva) writes: >Besides, "fingerd" is another BSD program. I presume it's a server to support ^^^^^^^ >remote user lookup (my BSD manual is an OLD 4.2 one, and there's nothing ^^^^^^^ >between fastboot and ftpd). Another case of BSD's priorities in the >convenience-vs-security spectrum. You "presume"? You are talking about things you know nothing about. For your interest, fingerd is a protocol based on RFC742 that provides an interface to the name and finger programs at several network sites. It is available not only on BSD, but on a variety of commercial UNIX SysV implementaions. The password guessing program would work just fine on ANY UNIX, not just BSD. >They left themselves open to this attack. This isn't a UNIX problem. As Matt pointed out nicely, this *IS* a UNIX problem. Even the MIT "Kerberos UNIX" got infected. So much for "protected" UNIX. >The virus was tracked to its source in a matter of hours. Wrong. The virus was started at 9PM Wednesday, and 24 hours later still the source was unknown. Quoting the WSJ: "At some locations around the nation, the virus wasn't eradicated until Friday, and there is no way to be sure that it has been caught everywhere." >> > and a simple reboot would clear it out. >> ^^^^^^^^^^^^^ >You can get re-infected if you re-connect to the net after the reboot without ^^^^^^^^^^^ >clearing up the holes that left you open in the first place. Aha! Then a "simple" reboot is not enough. Just what I said. >> I can assure you that in $$$$$, this >> virus was much more costly that ANY of the Amiga viruses combined. > >In dollars? If the result is a little tightening of internet security this >virus will have had a positive dollar value. Sure, I agree. The real problem is with people like you that say that "it is NOT a UNIX problem, but just a BSD problem" and that "don't expect anything as virulent as the Byte Bandit or Brain virus [on UNIX]". Sweet dreams :-) Quoting a fellow on the net that took the time for a personal reply: "You must be running UNIX System V, in single user mode, with no network connection, without any application binary on disk" :-) >I suspect that the cost of a program like "Rogue", in grad-student-hours, is >far greater than this little mishap. Quoting again the Wall Street Journal: "At NASA's Ames center, the 52,000 outside researchers hooked up to Ames each has had to spend four to eight hours figuring out whether their computers were infected. That's 142 man-years of work just because some bozo sticks a virus on the machines, a NASA spokesman says." >Oh, speaking of ftpd: >From the 4.2BSD manual, 4 March 1983... in the BUGS section: [lots of "preistoric" stuff deleted] I guess Matt already responded to this one. 1983? 4.2BSD? You must be joking. That confirms that you're talking with total ignorance of what has been going on during the past 5 years. >That was 5 years ago. You people never learn. You definitely have a long way to go (5 years to catch up). Go buy the 4.3 manuals at least; they're only $55 from USENIX. -- Marco Papa 'Doc' -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= uucp:...!pollux!papa BIX:papa ARPAnet:pollux!papa@oberon.usc.edu "There's Alpha, Beta, Gamma and Diga!" -- Leo Schwab [quoting Rick Unland] -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
peter@sugar.uu.net (Peter da Silva) (11/09/88)
In article <8811080626.AA16636@postgres.Berkeley.EDU>, dillon@POSTGRES.BERKELEY.EDU (Matt Dillon) writes: > This *IS* a UNIX problem. [etc...] No, it's a BSD problem. UNIX != BSD. (UNIX != System V, for that matter, or even Xenix) UNIX is a programmer interface (the system calls common to SIII and V7 would make a good working definition of that) and a design philosophy (a minimal set of systems calls aided by an "everything is a stream-file" paradigm). -- Peter da Silva `-_-' peter@sugar.uu.net Have you hugged U your wolf today? Disclaimer: My typos are my own damn business.
karl@sugar.uu.net (Karl Lehenbauer) (11/09/88)
The fact is that at least the Internet virus *had* a password guessing program. An Amiga virus wouldn't need one. At least on Unix you have to get root to completely break it. Every Amiga program is root. At least on Unix you have to exploit some bug to get in. On the Amiga, every program program is already all the way in. Operating systems without support for memory protection can *never* be made anything other than "wide open." Operating systems running on computers with memory protection at least have a foundation for providing *some* security. If you don't agree that this is true, let me know, and why. If you do, then you must agree that Unix at least has the potential to provide some security (and does in fact provide some security) and unprotected machines like the PC (under DOS), Mac and Amiga do not. I never said that Unix wan't vulnerable and I think it's funny that the quote (of peter@sugar) Marco chose to put in his "dedication" of the virus was correctly caveat-laden about the vulnerability of Unix. THe latest virus exploited widely known security holes. You BSD guys didn't even try to make your systems secure. That the Internet virus would spread a lot faster than an Amiga one would be expected because it has far greater connectivity and throughput than we Amiga owners have. This says nothing bad about Unix, except perhaps that its ubiquity and ease of programming has enhanced its connectivity and broadened its programmer-base, hence making it more vulnerable. -- -- "We've been following your progress with considerable interest, not to say -- contempt." -- Zaphod Beeblebrox IV -- uunet!sugar!karl, Unix BBS (713) 438-5018
dillon@POSTGRES.BERKELEY.EDU (Matt Dillon) (11/10/88)
:> This *IS* a UNIX problem. [etc...] : :No, it's a BSD problem. UNIX != BSD. : :(UNIX != System V, for that matter, or even Xenix) This particular Virus, yes, because it was written for BSD machines. Virus's in general? No. -Matt
peter@sugar.uu.net (Peter da Silva) (11/10/88)
In article <13322@oberon.USC.EDU>, papa@pollux.usc.edu (Marco Papa) writes: [ a bunch of stuff ] > Quoting a fellow on the net that took the time for a personal reply: > "You must be running UNIX System V, in single user mode, with no network > connection, without any application binary on disk" :-) No, we're running a network of Xenix boxes with a single external uucp-only connect. Our login is slightly modified. We don't have any illusions about security between our machines, but I think it'd be at least moderately hard to get in in the first place. Of course since you claim that Xenix isn't UNIX I guess we must be safe. > You definitely have a long way to go (5 years to catch up). Go buy the > 4.3 manuals at least; they're only $55 from USENIX. If you have a 4.3 license they are. Otherwise they're not available at any price. Why don't you quote the respective "BUGS" sections from today's Berkeley manuals. Here is the bottom line. I'm not going to say this again. UNIX is not endowed with any particular virtue that makes it any more immune to invasion than other minicomputer operating systems. UNIX is not endowed with any particular failing that makes in any less immune to invasion than other minicomputer operating systems. Any minicomputer operating system, with multiuser protections and passwords, is less susceptible than any microcomputer system with no protection at all. If I lock my car it is slightly harder to break in to. I mightn't be able to keep a professional car-thief out, but the neighborhood kids won't take it for a joy-ride. -- Peter da Silva `-_-' peter@sugar.uu.net Have you hugged U your wolf today? Disclaimer: My typos are my own damn business.