richard@aiai.ed.ac.uk (Richard Tobin) (05/02/91)
In article <26844:May100:59:2591@kramden.acf.nyu.edu> brnstnd@kramden.acf.nyu.edu (Dan Bernstein) writes: >I'd love to hear from anyone who can propose a simpler set of fixes >that can still be proven to work. While it seems likely that Dan's fixes are perfectly good, it wouldn't be surprising if full discussion here led to further improvements (and perhaps the discovery of other bugs). If vendors are (for once) going to incorporate these changes it would be good to subject them to the most rigorous scrutiny. For this reason I believe it would be best for Dan to post full details of the various loopholes. -- Richard -- Richard Tobin, JANET: R.Tobin@uk.ac.ed AI Applications Institute, ARPA: R.Tobin%uk.ac.ed@nsfnet-relay.ac.uk Edinburgh University. UUCP: ...!ukc!ed.ac.uk!R.Tobin
chogan@maths.tcd.ie (Christine Hogan) (05/04/91)
In <4601@skye.ed.ac.uk> richard@aiai.ed.ac.uk (Richard Tobin) writes: >For this reason I believe it would be best for Dan to post full details >of the various loopholes. I disagree. I _don't_ have sources and I _do_ have lots of idle undergrads lapping up this discussion and dying for all the damaging details to be posted. Dan is doing exactly the right thing for my predicament. -- Christine. chogan@maths.tcd.ie ...!mcsun!maths.tcd.ie!chogan chogan%maths.tcd.ie@cunyvm.cuny.edu
bill@franklin.com (bill) (05/05/91)
In article <1991May3.183159.23747@maths.tcd.ie> chogan@maths.tcd.ie (Christine Hogan) writes: : In <4601@skye.ed.ac.uk> richard@aiai.ed.ac.uk (Richard Tobin) writes: : >For this reason I believe it would be best for Dan to post full details : >of the various loopholes. : I disagree. I _don't_ have sources and I _do_ have lots : of idle undergrads lapping up this discussion and dying : for all the damaging details to be posted. Dan is doing : exactly the right thing for my predicament. You are in a fool's paradise. At least one of your undergrads is smart enough to figure out what to do with the hole given the clues already posted and to cover himself after using it. For as long as you remain ignorant of the details, you are prevented from taking preventative action.
jkp@cs.HUT.FI (Jyrki Kuoppala) (05/06/91)
In article <4May91.201446.4564@franklin.com>, bill@franklin (bill) writes: >You are in a fool's paradise. At least one of your undergrads is >smart enough to figure out what to do with the hole given the >clues already posted and to cover himself after using it. For as >long as you remain ignorant of the details, you are prevented from >taking preventative action. In a situation like this, the first question that comes to my mind is 'Is there any reason the udergrad won't show you the program (s)he comes up with?' And what's so horrifying about these undergrads using some common holes anyway ? They're supposed to learn something at the Uni, I think, not supposed to be there to spy for the (insert your favorite intelligence organization) or terrorize everyone else. If your university atmosphere for whatever reason is filled with so much hatred and so little will for cooperation that your users won't tell you about the problems (with the benefit of getting to learn more and discuss the problem with people knowing perhaps more of the problems, to learn more) but instead they cause trouble to other users, your university is in much more serious trouble than some lousy computer security. But then, nowadays when the counterproductive 'rules' and 'regulations' make just about anything or even thinking about it illegal or seriously punishable, perhaps it's understandable that the poor students are not willing to risk lawsuits or other penalties by sharing their information with others. I don't know, I certainly did tell about the holes to the administrators but back then our Uni didn't have all these myriads of written regulations with all kinds of threats. //Jyrki
cs202201@daffy.acslab.umbc.edu ( Joseph Reagle ) (05/07/91)
In article <1991May6.111540.17621@santra.uucp>, jkp@cs.HUT.FI (Jyrki Kuoppala) writes: |> In article <4May91.201446.4564@franklin.com>, bill@franklin (bill) writes: |> In a situation like this, the first question that comes to my mind is |> 'Is there any reason the udergrad won't show you the program (s)he |> comes up with?' There are plenty. Just the other day I had some major idiot that made a program that iconified, moved, and terminated windows at an alarming pace. I think he is even a senior. He nearly caused damage to my project. I know I can type 'xhost -', but there are ways around that, and I hate to see the friendly atmosphere of the workstation room close up because of one fool. But like in so many other instances the majority of people dissaproved and he ended up getting quite a scare. ---------------------------------------- Femme, Femme, Fatale Femme They play the headiest tricks In the game. -Joseph Reagle ----------------------------------------
chogan@maths.tcd.ie (Christine Hogan) (05/07/91)
In <1991May6.111540.17621@santra.uucp> jkp@cs.HUT.FI (Jyrki Kuoppala) writes: >In a situation like this, the first question that comes to my mind is >'Is there any reason the udergrad won't show you the program (s)he >comes up with?' They are more than welcome if they tell me about problems, but some of them don't, many do. >And what's so horrifying about these undergrads using some common >holes anyway ? Oh well then, why don't I just give them all root access ? >They're supposed to learn something at the Uni, I >think, not supposed to be there to spy for the (insert your favorite >intelligence organization) or terrorize everyone else. Nice idea, but we were bitten by a malicious user who rm -rf'ed the entire users partition a few years ago -- I can't blindly trust my users, I wish I could, but some of them will abuse it. -- Christine. chogan@maths.tcd.ie ...!mcsun!maths.tcd.ie!chogan chogan%maths.tcd.ie@cunyvm.cuny.edu
konczal@sunmgr.ncsl.nist.gov (Joe Konczal) (05/08/91)
From: bill <bill@franklin.com> Date: 4 May 91 20:14:46 GMT In article <1991May3.183159.23747@maths.tcd.ie> chogan@maths.tcd.ie (Christine Hogan) writes: : In <4601@skye.ed.ac.uk> richard@aiai.ed.ac.uk (Richard Tobin) writes: : >For this reason I believe it would be best for Dan to post full details : >of the various loopholes. : I disagree. I _don't_ have sources and I _do_ have lots ====================== ====================== ====================== : of idle undergrads lapping up this discussion and dying : for all the damaging details to be posted. Dan is doing : exactly the right thing for my predicament. You are in a fool's paradise. At least one of your undergrads is smart enough to figure out what to do with the hole given the clues already posted and to cover himself after using it. For as long as you remain ignorant of the details, you are prevented from taking preventative action. If Dan posted full details, those who don't have the source to their operating systems would still be unable to close the loopholes, but many other undergrads, who are not smart enough or motivated enough to figure it out on their own, would now know how to abuse these loopholes. If you really need to know the details of the loopholes Dan is talking about why don't you try to convince him to send them to you, instead of writing yet another naive, "doesn't every SA have the OS source, and the time and ability to fix it immediately?", message to the network. -- Joe Konczal konczal@ncsl.nist.gov
jmason@gpu.utcs.utoronto.ca (Jamie Mason) (05/09/91)
Too much quoting... The citations are too munged to figure out who posted what: > I disagree. I _don't_ have sources and I _do_ have lots > of idle undergrads lapping up this discussion and dying > for all the damaging details to be posted. Dan is doing > exactly the right thing for my predicament. > You are in a fool's paradise. At least one of your undergrads is > smart enough to figure out what to do with the hole given the > clues already posted and to cover himself after using it. For as konczal@sunmgr.ncsl.nist.gov (Joe Konczal) writes: > If Dan posted full details, those who don't have the source to their > operating systems would still be unable to close the loopholes, but > many other undergrads, who are not smart enough or motivated enough to > figure it out on their own, would now know how to abuse these > loopholes. First of all, security through obscurity isn't. There is never a good reason to hoard information. But that's been said about 5 times in this thread already. My main point is below: From the above three citations I would be lead to beleive that undergraduate students are some kind of strange animal, suitable for a zoo. I can speak for myself and my peers, while the zoo part maybe true on, say Saturday night, :-) we are not vicious animals, we don't bite. Really. You know it seems that that inciting such an atmosphere that students and administrators are enemies is a *bad thing*. If you treat students like untrustworth scum, they'll treat you like a totallitarian dictator. It's not good for either party. It makes life much more difficult for administration, and much less fun for students. If I figured out the bug, I would probaby do it once, just to see that it works, issuing such a damaging commands as 'whoami' or 'id' as root to see that it worked. Then I would show the problem to the system administrator. You see we don't have a large reservoir of MALICE, we have a large reservoir of CURIOSITY. That is the way it is supposed to be in a leraning environment, right? I few months ago, I found that the system was leaving world readable VMCOREs (i.e. dumps of system memory at crash time). I thought it might be fun to read other people's process memory at crash time. After pondering the ethics (curiosity vs privacy) for about an hour, I came to the conclusion that no matter how much fun it would be, that data was NOT MINE TO READ, so I did not read it. Rather, I wrote a message to the system administrator about the problem. Did it ever occur that some of these "idle undergrads" could actually *SOLVE* your problem for you. Armed with the details of the bugs, someone could first check if they exist, (OH MY GOD! EXPLOIT THEM! RUIN THE SYSTEM!!! Take a valium.) and then perhaps even *FIX* them for you, given read access to the appropriate source code. I am sure that there is at least ONE student at each site capable enough at kernel hacking to fix the tty bugs. Come on people, we want to all use the computer in harmony, right? Let's nurture an atmosphere of friendship and respect, not enimity and fear. Jamie ... Segmentation fault (core dumped) Written On Thursday, May 9, 1991 at 03:09:58am EDT
bharat@computing-maths.cardiff.ac.uk (Bharat Mediratta) (05/09/91)
In article <26821@adm.brl.mil> konczal@sunmgr.ncsl.nist.gov (Joe Konczal) writes: > > From: bill <bill@franklin.com> > Date: 4 May 91 20:14:46 GMT > > In article <1991May3.183159.23747@maths.tcd.ie> > chogan@maths.tcd.ie (Christine Hogan) writes: > : In <4601@skye.ed.ac.uk> richard@aiai.ed.ac.uk (Richard Tobin) writes: > : >For this reason I believe it would be best for Dan to post full details > : >of the various loopholes. > : I disagree. I _don't_ have sources and I _do_ have lots [stuff deleted] >If Dan posted full details, those who don't have the source to their >operating systems would still be unable to close the loopholes, but >many other undergrads, who are not smart enough or motivated enough to >figure it out on their own, would now know how to abuse these >loopholes. > >If you really need to know the details of the loopholes Dan is talking >about why don't you try to convince him to send them to you, instead >of writing yet another naive, "doesn't every SA have the OS source, >and the time and ability to fix it immediately?", message to the >network. Unfortunately, this whole deal is the result of something that never should have happened. System administrators are notably busy all the time, whereas idle hackers usually (by definition) have a great deal of idle time. Who do you suppose is going to be able to react better to a few hints, an overworked system administrator or some eager hacker? Administrators are busy and don't want to deal with poring through the manuals to figure out the hints than Dan has dropped in order to patch some obscure bug with tty. An undergrad with a lot of free time on his hands (which is the majority, let's face it) is going to be a lot more enthusiastic about spending a few hours with the old manuals if it means he can find a new and intersting loophole in security. All that this discussion has accomplished is to weaken the security of another thousand sites. The correct response would have been to tell the people who developed the system and let them take care of it. They know who the authorized vendors are, and the vendors know who the authorized system administrators are. Sure, it'll take a while to get all the way down to the system administrators, but at least that way the whole USENET doesn't know about the latest security hole. This isn't the newsgroup for flames or for personal insults, and neither is it the group for undermining system security. The best thing to do is for Dan send the fix to the developers and drop the subject. Maybe that way we can prevent even more people from learning the trick. -- | Bharat Mediratta | JANET: bharat@cm.cf.ac.uk | +--------------------+ UUNET: bharat%cm.cf.ac.uk%cunyvm.cuny.edu@uunet.uucp | |On a clear disk... | uk.co: bharat%cm.cf.ac.uk%cunyvm.cuny.edu%uunet.uucp@ukc| |you can seek forever| UUCP: ...!uunet!cunym.cuny.edu!cm.cf.ac.uk!bharat |
dhesi%cirrusl@oliveb.ATC.olivetti.com (Rahul Dhesi) (05/10/91)
In <1991May9.155614.14378@cm.cf.ac.uk> bharat@computing-maths.cardiff.ac.uk (Bharat Mediratta) writes: >Unfortunately, this whole deal is the result of something that never >should have happened. System administrators are notably busy all the >time, whereas idle hackers usually (by definition) have a great deal >of idle time. Please! Get your terminology straight. Hackers make the best system administrators, and a hacker (by definition) is seldom idle. Perhaps you were thinking of "crackers". (Though the only type of cracker I know that remains idle -- until eaten -- is the type you get from a box). -- Rahul Dhesi <dhesi@cirrus.COM> UUCP: oliveb!cirrusl!dhesi
dave@jato.jpl.nasa.gov (Dave Hayes) (05/10/91)
bharat@computing-maths.cardiff.ac.uk (Bharat Mediratta) writes: >patch some obscure bug with tty. An undergrad with a lot of free time >on his hands (which is the majority, let's face it) is going to be >a lot more enthusiastic about spending a few hours with the old manuals >This isn't the newsgroup for flames or for personal insults, and neither >is it the group for undermining system security. The best thing to >do is for Dan send the fix to the developers and drop the subject. Maybe >that way we can prevent even more people from learning the trick. That would have been GREAT at the outset, but now the damage is done. The correct thing (assuming Dan was egoless) to do now would be to disseminate the information he has in such a way as to get to the system administrators that need to know (read *90%* of them) so that they can plug the hole. Unfortunately, Dan has an ego...one big enough to sit around blabbering that he knows something that we don't...and he feeds it by implying the relative stupidity of those of us who are overworked and haven't the time to go searching through manuals to figure out the nature of the obscurity. This isn't the place for personal insults, eh? I think Dan insults a LOT of people by his attitude. Let the guy take what he's been dishing out. -- Dave Hayes - Network & Communications Engineering - JPL / NASA - Pasadena CA dave@elxr.jpl.nasa.gov dave@jato.jpl.nasa.gov ames!elroy!dxh If your own vice happens to be the search for virtue, recognize that it is so.
schwartz@karl.cs.psu.edu (Scott Schwartz) (05/11/91)
| >patch some obscure bug with tty. An undergrad with a lot of free time | >on his hands (which is the majority, let's face it) is going to be | >a lot more enthusiastic about spending a few hours with the old manuals So logically you should recruit them to help you fix the problem. Unfortunately there is usually an adversarial relationship between the users of a computer system and the people who run it. Kinda like the government in general, isn't it. :-) The fact that unix source code is AT&T top-secret doesn't help matters any either. Is it sensible that the sources to mission critical software is unavailable to the people who have to use it? | >The best thing to | >do is for Dan send the fix to the developers and drop the subject. Maybe | >that way we can prevent even more people from learning the trick. | | That would have been GREAT at the outset, but now the damage is done. Dan has been complaining about this for years. Like it or not, vendors often don't fix important bugs on a timely basis. Sometimes the best thing to do is to nudge them.
mouse@thunder.mcrcim.mcgill.edu (der Mouse) (05/13/91)
In article <26821@adm.brl.mil>, konczal@sunmgr.ncsl.nist.gov (Joe Konczal) writes: > If Dan posted full details, those who don't have the source to their > operating systems would still be unable to close the loopholes, but Exactly. (To my mind this is one of the stronger reasons for posting full details.) Binary distributions are Evil. der Mouse old: mcgill-vision!mouse new: mouse@larry.mcrcim.mcgill.edu
smb@ulysses.att.com (Steven Bellovin) (05/14/91)
Several people have suggested that Dan post full details, simply because
responsible ``undergrads'' will at most verify the existence of the
problem, and then report it to the system administrator. Some, it is
claimed, will even offer help in fixing the problem.
The above statements are true, but irrelevant.
It only takes one malicious user to wipe out an entire system. Why
would someone do that? I don't know -- why do some people slash
car tires, or scribble on bathroom walls? There's no reason to think
that access to the Internet is a warrantee of one's ethical behavior.
This much is certain: some people commit such actions, for whatever
reason.
Even assuming I'm willing to trust all of my legitimate users -- and
that would be a rash assumption; most studies indicate that most
security problems are from insiders -- I'm not willing to wager that
no outsiders are using my system. More precisely, given the apparent
density of security holes and lapses, I must assume that at some point,
people I don't trust will crack my system. If that happens, I very
much want to prevent any further damage -- and we know that one of the
first thing a {cr,h}acker tries to do is to collect more passwords for
use on other machines. The holes Dan is talking about are directly
implicated here.
It is, incidentally, somewhat libelous to blame ``undergrads'' as a
class for being hackers. It's simply that undergraduates as a class
are the youngest group with substantial representation on the Internet.
And, like it or not, age is well-correlated with the incidence of
all manner of anti-social behavior. Call it lack of maturity, call
it idle hands, call it what you will -- but the fact isn't particularly
disputable. Yes, there are responsible undergraduates -- the vast
majority, in fact. And many of the ones who poke and pry into systems
really are trying to learn. I sympathize -- I did (and do) the same.
But, just as the library finds it necessary to place some restrictions
on who can remove which books, and for how long, a responsible system
administrator takes precautions to ensure that *everyone* can use
the computer system.
--Steve Bellovin
P.S. Don't read this as saying Dan should or should not post full
details. I have my own opinions, but I'm not in the mood to post
them now, amidst the sturm und drang.bill@franklin.com (bill) (05/14/91)
: In article <26821@adm.brl.mil>, konczal@sunmgr.ncsl.nist.gov (Joe Konczal) writes:
: > If Dan posted full details, those who don't have the source to their
: > operating systems would still be unable to close the loopholes, but
This is simply not true. There are any number of potential
solutions to this kind of problem, ranging from kernel binary
hacks, to redistributing access to various machines, to buying the
source code, to network and kernel monitoring, to harassing one's
vendor, to guards in the terminal room, to kicking off the system
anyone who might abuse it, etc.
The thing some seem to forget is this: ignorance prevents an
informed response. As it stands right now, any person with even a
little programming skill and some time on their hands could
exploit the hints provided in this newsgroup; however, the
typical system administrator, not even knowing the extent of the
problem, is going to say, rightly, that he's got enough *known*
problems to deal with, without wasting time on what may be
totally irrelevant to his system. (Someone is likely to say that
the extent of the problem has been explained. Nonsense. For
something as ramified as this, the explanations posted here have
been woefully inadequate.)
The effect is that most system administrators will do nothing
about things, because they *can't*, and most sites that have
irresponsible users who become aware of the possibility of
exploiting this hole are going to get the shaft. If provided with
the precise details of the problem, those same irresponsible users
will still do their thing, but the system administrators will be
in a position where they can at least attempt to prevent any
significant abuse from happening, or can detect a use of this
hole and clean up afterwards.