jc@cdx39.UUCP (John Chambers) (12/16/86)
Well, I've gotten lots of letters recently in response to
my complaints about how hard it is to learn the good stuff
about how insecure this system is. It seems that lots of
people out there are interested in ways of making/breaking
their systems.
So far, I haven't gotten any hot leads for the mythical
unix-security mailing list (or newsgroup or whatever), so
I guess I'll have to take it upon myself...
If you would like to partake in a discussion of ways of
defending your system from attack, send me an interesting
security-related letter, and I'll set up a mailing list.
[This is, of course, a thinly-disguised attempt to get
all of you to tell me what you know about security.]
There was an interesting posting recently in the other
direction, from a person who said that none of his users
had passwords, and they never had any problems. This is
certainly another approach, and it might be interesting
to see a discussion of the topic. After all, any sort
of security that I've ever seen was rather intrusive,
and functioned primarily to interfere with legitimate
use of the system. If you want a convenient, productive
environment, you probably want to minimize security. Or
do you? Can anyone suggest a way of making a computer
system reasonably secure from malicious intrusion, while
interfering minimally with its legit users?
BTW, I personally consider "idiot-proofing" to be a facet
of security. I'd be interested in system designs that
somehow let me say "rm -r *" when I really mean it, but
interfere when I don't mean it. Or, expressed differently,
is there a syntax that would make such things easy to type
intentionally, but hard to type accidentally?
Such a syntax could be of interest to high-security people.
A system that audits such commands could do a lot of quite
unobtrusive checking and fingering of guilty parties. One
useful security approach, after all, is to pretend to be
open and inviting, while eliciting sufficient information
that you can successfully prosecute intruders later. Such
systems have been termed "hacker traps". A shell that
pretended to accept series of commands like:
cd /
rm -r * &
exit
while not actually doing them could be a good hacker trap.
[I hope I'm not too badly inundated by replies. If I am,
I may have to farm the job out to some of you. Also, this
machine and/or I may go away in a few weeks, and I don't
know yet where I may be working next, so be prepared for
a fast reorganization of any mailing list.]
--
John M Chambers Phone: 617/364-2000x7304
Email: ...{adelie,bu-cs,harvax,inmet,mcsbos,mit-eddie,mot[bos]}!cdx39!{jc,news,root,usenet,uucp}
Smail: Codex Corporation; Mailstop C1-30; 20 Cabot Blvd; Mansfield MA 02048-1193
Clever-Saying: For job offers, call (617)484-6393 evenings and weekends.gaspar@almsa-1.arpa (Al Gaspar) (12/17/86)
John,
I am not sure that I am going to have too much luck sending this to you
directly; so I am copying info-unix. There are two mailing lists that you
might consider contacting: security@rutgers and mail.security@cisden. I
subscribe to security@rutgers and am attempting to join mail.security (I'm
not sure whether I just haven't reached them or they just don't want me :-)).
Here are the blurbs on them off the net:
mail.security
Contact: (boulder,hao,nbires)!cisden!sec-request
Purpose: Discussion and comment (and sometimes bug fixes) which
touch on the security aspects of the UNIX operating system. This
mailing list is joined at the pleasure of the applicant's System
Administrator and/or the list administrator.
SECURITY@RUTGERS
This list is designed to provide a forum for discussion of the field of
security in general, be it electronic, physical, or computer-related. Since
the original idea was to name this list LOCKSMITHS, discussions about
physical security and hardware are welcomed, but to broaden out into
computer security and electronic access control and such is also valid. In
other words, any subject matter relating to the *improvement* and
*implementation* of security systems is okay, while how to *defeat* them is
not. Messages are not digestified, but are filtered to keep things of
questionable legality/ content from escaping out to the network.
All requests to be added to or deleted from this list, problems, questions,
etc., should be sent to SECURITY-REQUEST@RUTGERS.
Coordinator: *Hobbit* <AWalker@RUTGERS>
--
Al Gaspar <gaspar@almsa-1.arpa>
USAMC ALMSA, ATTN: AMXAL-OW, Box 1578, St. Louis, MO 63188-1578
COMMERCIAL: (314) 263-5118 AUTOVON: 693-5118
seismo!gaspar@almsa-1.arpawbp@cuuxb.UUCP (Walt Pesch) (12/20/86)
In article <1610@brl-adm.ARPA> gaspar@almsa-1.arpa writes: > >mail.security > Contact: (boulder,hao,nbires)!cisden!sec-request As far as I know, this fell off the end of the Earth quite some time ago. I know people the have asked the net.gods/fascists (depending on your viewpoint) for the current status, and the news has come down that there are some other people who were going to volunteer their efforts. However, I haven't seen or heard of any of the fruits of their labor. Hopefully, someone will say I'm wrong and it's there but that I was lost in the shuffle, but I'm afraid that I'm correct. Walt Pesch {ihnp4,akgua,cbosgd,et al}!cuuxb!wbp cuuxb!wbp@lll-crg
dennis@rlgvax.UUCP (Dennis Bednar) (01/15/87)
In article <988@cuuxb.UUCP>, wbp@cuuxb.UUCP (Walt Pesch) writes: > >mail.security I friend of mine who worked here said he once heard about a book that listed about 100 different ways to break into UNIX, or security holes in UNIX (I'm not sure which). He never saw the book, though. Was there really such a book printed? -- -Dennis Bednar {decvax,ihnp4,harpo,allegra}!seismo!rlgvax!dennis UUCP
dan@leadsv.UUCP (01/17/87)
In article <333@rlgvax.UUCP>, dennis@rlgvax.UUCP (Dennis Bednar) writes: > > I friend of mine who worked here said he once heard about > a book that listed about 100 different ways to break into UNIX, > or security holes in UNIX (I'm not sure which). > > He never saw the book, though. Was there really such a book > printed? The book is probably: UNIX System Security Patrick H. Wood/Stephen G. Kochan Hayden Book Company cost: ??? ISBN 0-8104-6267-2 It covers "practical information for improving program, data, network, and access security" on UNIX. Dan Gold Lockheed Missiles & Space Company, Inc. UUCP: ...!{atlas1, cae780, cfcl, endotsew, esl, excelan, hhb, hoptoad, krent, lll-lcc, mycroft, rtgvax, scampi, sunncal, tdms2}!leadsv!dan INTERNET: ucdavis!lll-lcc!leadsv!dan@ucbvax.BERKELEY.EDU