jef@well.sf.ca.us (Jef Poskanzer) (03/28/90)
The recent posting of "cops", a Unix security assessment tool, points
out once again how much of a Red Queen's Race the security business
is. Anything that tells the good guys what holes to plug also tells
the bad guys what holes to use. The good guys have to keep up on all
the latest security assessment tools just to stay even.
Did you know that this latest Internet cracker was using Matt Bishop's
deszip?
When possible, it's great to post info about how to plug a hole without
revealing how to use the hole. CERT does this when they can. But it's
not always possible. When instructions for fixing a hole reveal how to
exploit the hole, it is necessary to broadcast the instructions, and IT
IS ALSO NECESSARY THAT WE ALL APPLY THEM.
Did you know that a year and a half after the Internet Worm, some
manufacturers are still shipping systems with a DEBUG-enabled
sendmail?
Anyway, I don't want to get this tired old discussion going again, I
just wanted to point out that now that "cops" has been posted, there is
a new minimum level for Unix security.
---
Jef
Jef Poskanzer jef@well.sf.ca.us {ucbvax, apple, hplabs}!well!jefruss@wpg.com (Russell Lawrence) (04/08/90)
In article <1110@rwing.UUCP>, pat@rwing.UUCP (Pat Myrto) writes: > Naturally, with rwing currently in the 'podunk' category I have > not been included on any of these mailing lists - like I said > earlier, not even given courtesy of a reply to my queries - my > knowlege is thus limited to the basics, and what I picked up from > text books, etc. as described above. I share your lament. Shortly after the Morris incident, I got about a dozen calls from business people who wanted me to beef up their systems security. Being ignorant of the potential holes, I found myself unable to provide any real assistance. As a result of their unassuaged fears, all of these sites have repeatedly declined netnews and email connections that would have greatly benefited the unix community in our area from the standpoint of jobs, machine sales, information exchange, etc. In a recent issue of the journal of the American Trial Lawyers Association, the president of that organization pointed out that the praise of "secrecy" and "secret knowledge" is one of the major barriers to the progress of our society as a whole. The theory that secrecy or silence prevents problems from becoming worse has been used before in many fields of endeavor, politics, religion, health care, etc, and history has shown us that it doesn't work. The underlying psychology reminds me of a childish ego game. Oddly enough, the only serious criminal hacker I've ever known personally was a young man with university affiliations that gave him ready access to USG and BSD source. It pisses me off that this guy had access to information that is unavailable to me because of the lame brain notion that people at large sites have a greater need to know, or greater integrity. Let me suggest that we start a new security mailing list based on the premise that knowledge should be widely available. I'm sure we'll get enough subscribers and contributors to make the thing worth while. In addition, let's maintain an archive listing the "secret" security mailing lists and their administrators and make this list readily available to the press. If/when one of my client's machines is broken into, they may want to send sarcastic thank you notes to the Reverend Guardians of Esoteric Knowledge. -- Russell Lawrence, WP Group, New Orleans (504) 443-5000 russ@wpg.com uunet!wpg!russ
pat@rwing.UUCP (Pat Myrto) (04/08/90)
In article <2258@wpg.com> russ@wpg.com (Russell Lawrence) writes: } In article <1110@rwing.UUCP>, pat@rwing.UUCP (Pat Myrto) writes: } > } > [ ... description of small sites worthiness deleted ] } } [ ... description of "benefits" to the net of secrecy deleted ] } } In a recent issue of the journal of the American Trial Lawyers } Association, the president of that organization pointed out that } the praise of "secrecy" and "secret knowledge" is one of the } major barriers to the progress of our society as a whole. The } theory that secrecy or silence prevents problems from becoming } worse has been used before in many fields of endeavor, politics, } religion, health care, etc, and history has shown us that it } doesn't work. The underlying psychology reminds me of a childish } ego game. } } Oddly enough, the only serious criminal hacker I've ever known } personally was a young man with university affiliations that gave } him ready access to USG and BSD source. It pisses me off that } this guy had access to information that is unavailable to me } because of the lame brain notion that people at large sites } have a greater need to know, or greater integrity. } } Let me suggest that we start a new security mailing list based on } the premise that knowledge should be widely available. I'm sure } we'll get enough subscribers and contributors to make the thing } worth while. } } In addition, let's maintain an archive listing the "secret" } security mailing lists and their administrators and make this } list readily available to the press. If/when one of my client's } machines is broken into, they may want to send sarcastic thank } you notes to the Reverend Guardians of Esoteric Knowledge. AMEN! I'll go for that! (surpressing a grin that goes past my ears). Such a list would go a long way to helping smaller sites harden up, and just possibly make it possible for some sites to get their security level up to where they will be willing to devote some of their disk space and CPU time to spreading the news and e-mail around. Regarding the list of the cloak-and-dagger boys, it is indeed time some of these folks, to some small extent, anyway, reap some of the good will their attitudes has caused. Seems the attitude is not unlike the attitude one sees of many of our politicians these days (everyone is stupid/untrustworthy except themselves...). I'll leave it as an excercise to the reader to figure out what side of the aisle most of these critters sit on. :-) Thinking on this, perhaps this discussion should be moved over to something like news.sysadm or such?? We seem to have digressed from the subject of discussing the COPS package per se... Anyway, I have set follow-ups in the header to go to news.sysadmin, since that seems a closer fitting newsgroup. If someone disagrees, they can always edit the header ... -- pat@rwing (Pat Myrto), Seattle, WA ...!uunet!pilchuck!rwing!pat ...!uw-beaver!uw-entropy!dataio!/ WISDOM: "Travelling unarmed is like boating without a life jacket"