jc@cdx39.UUCP (John Chambers) (12/16/86)
Well, I've gotten lots of letters recently in response to my complaints about how hard it is to learn the good stuff about how insecure this system is. It seems that lots of people out there are interested in ways of making/breaking their systems. So far, I haven't gotten any hot leads for the mythical unix-security mailing list (or newsgroup or whatever), so I guess I'll have to take it upon myself... If you would like to partake in a discussion of ways of defending your system from attack, send me an interesting security-related letter, and I'll set up a mailing list. [This is, of course, a thinly-disguised attempt to get all of you to tell me what you know about security.] There was an interesting posting recently in the other direction, from a person who said that none of his users had passwords, and they never had any problems. This is certainly another approach, and it might be interesting to see a discussion of the topic. After all, any sort of security that I've ever seen was rather intrusive, and functioned primarily to interfere with legitimate use of the system. If you want a convenient, productive environment, you probably want to minimize security. Or do you? Can anyone suggest a way of making a computer system reasonably secure from malicious intrusion, while interfering minimally with its legit users? BTW, I personally consider "idiot-proofing" to be a facet of security. I'd be interested in system designs that somehow let me say "rm -r *" when I really mean it, but interfere when I don't mean it. Or, expressed differently, is there a syntax that would make such things easy to type intentionally, but hard to type accidentally? Such a syntax could be of interest to high-security people. A system that audits such commands could do a lot of quite unobtrusive checking and fingering of guilty parties. One useful security approach, after all, is to pretend to be open and inviting, while eliciting sufficient information that you can successfully prosecute intruders later. Such systems have been termed "hacker traps". A shell that pretended to accept series of commands like: cd / rm -r * & exit while not actually doing them could be a good hacker trap. [I hope I'm not too badly inundated by replies. If I am, I may have to farm the job out to some of you. Also, this machine and/or I may go away in a few weeks, and I don't know yet where I may be working next, so be prepared for a fast reorganization of any mailing list.] -- John M Chambers Phone: 617/364-2000x7304 Email: ...{adelie,bu-cs,harvax,inmet,mcsbos,mit-eddie,mot[bos]}!cdx39!{jc,news,root,usenet,uucp} Smail: Codex Corporation; Mailstop C1-30; 20 Cabot Blvd; Mansfield MA 02048-1193 Clever-Saying: For job offers, call (617)484-6393 evenings and weekends.
gaspar@almsa-1.arpa (Al Gaspar) (12/17/86)
John, I am not sure that I am going to have too much luck sending this to you directly; so I am copying info-unix. There are two mailing lists that you might consider contacting: security@rutgers and mail.security@cisden. I subscribe to security@rutgers and am attempting to join mail.security (I'm not sure whether I just haven't reached them or they just don't want me :-)). Here are the blurbs on them off the net: mail.security Contact: (boulder,hao,nbires)!cisden!sec-request Purpose: Discussion and comment (and sometimes bug fixes) which touch on the security aspects of the UNIX operating system. This mailing list is joined at the pleasure of the applicant's System Administrator and/or the list administrator. SECURITY@RUTGERS This list is designed to provide a forum for discussion of the field of security in general, be it electronic, physical, or computer-related. Since the original idea was to name this list LOCKSMITHS, discussions about physical security and hardware are welcomed, but to broaden out into computer security and electronic access control and such is also valid. In other words, any subject matter relating to the *improvement* and *implementation* of security systems is okay, while how to *defeat* them is not. Messages are not digestified, but are filtered to keep things of questionable legality/ content from escaping out to the network. All requests to be added to or deleted from this list, problems, questions, etc., should be sent to SECURITY-REQUEST@RUTGERS. Coordinator: *Hobbit* <AWalker@RUTGERS> -- Al Gaspar <gaspar@almsa-1.arpa> USAMC ALMSA, ATTN: AMXAL-OW, Box 1578, St. Louis, MO 63188-1578 COMMERCIAL: (314) 263-5118 AUTOVON: 693-5118 seismo!gaspar@almsa-1.arpa
wbp@cuuxb.UUCP (Walt Pesch) (12/20/86)
In article <1610@brl-adm.ARPA> gaspar@almsa-1.arpa writes: > >mail.security > Contact: (boulder,hao,nbires)!cisden!sec-request As far as I know, this fell off the end of the Earth quite some time ago. I know people the have asked the net.gods/fascists (depending on your viewpoint) for the current status, and the news has come down that there are some other people who were going to volunteer their efforts. However, I haven't seen or heard of any of the fruits of their labor. Hopefully, someone will say I'm wrong and it's there but that I was lost in the shuffle, but I'm afraid that I'm correct. Walt Pesch {ihnp4,akgua,cbosgd,et al}!cuuxb!wbp cuuxb!wbp@lll-crg
dennis@rlgvax.UUCP (Dennis Bednar) (01/15/87)
In article <988@cuuxb.UUCP>, wbp@cuuxb.UUCP (Walt Pesch) writes: > >mail.security I friend of mine who worked here said he once heard about a book that listed about 100 different ways to break into UNIX, or security holes in UNIX (I'm not sure which). He never saw the book, though. Was there really such a book printed? -- -Dennis Bednar {decvax,ihnp4,harpo,allegra}!seismo!rlgvax!dennis UUCP
dan@leadsv.UUCP (01/17/87)
In article <333@rlgvax.UUCP>, dennis@rlgvax.UUCP (Dennis Bednar) writes: > > I friend of mine who worked here said he once heard about > a book that listed about 100 different ways to break into UNIX, > or security holes in UNIX (I'm not sure which). > > He never saw the book, though. Was there really such a book > printed? The book is probably: UNIX System Security Patrick H. Wood/Stephen G. Kochan Hayden Book Company cost: ??? ISBN 0-8104-6267-2 It covers "practical information for improving program, data, network, and access security" on UNIX. Dan Gold Lockheed Missiles & Space Company, Inc. UUCP: ...!{atlas1, cae780, cfcl, endotsew, esl, excelan, hhb, hoptoad, krent, lll-lcc, mycroft, rtgvax, scampi, sunncal, tdms2}!leadsv!dan INTERNET: ucdavis!lll-lcc!leadsv!dan@ucbvax.BERKELEY.EDU