jkp@cs.HUT.FI (Jyrki Kuoppala) (05/01/91)
>You remind me of the people who say (without knowing, of course) that >sendmail's debug hole was widely known before RTM made a fool of >himself. Does it make you feel wizardly to pretend that you know what >you're talking about? For the record, I also don't believe that the sendmail debug feature was 'widely known', whatever that means. But I personally ran into it independently, examining the SMTP protocol, and then noticed that strange things begin to happen after the (undocumented, I think, at least I found it by chance) debug command was given. This was some time before the Internet worm episode. And no, I didn't publicize it widely, just discussed it with a few friends of mine and the local administrators. Back then, I didn't know of a good way to communicate such holes and probably didn't even think anyone would be that interested in it. Don't know, perhaps if I had posted it to a newsgroup back then the worm episode wouldn't have happened. Not that I say it would have been good or bad. //Jyrki
terry@venus.sunquest.com (Terry R. Friedrichsen) (05/02/91)
jkp@cs.HUT.FI (Jyrki Kuoppala) writes: >For the record, I also don't believe that the sendmail debug feature >was 'widely known', whatever that means. And now I read in Unix TODAY! that the "Dutch crackers" are cracking systems by exploiting a sendmail bug, but "not the same one that the RTM worm used" (paraphrasing). Terrific. ANOTHER hole I could close if I only knew what it was. The Dutch crackers evidently have lists of security holes that they're playing off. I wish *I* could see those lists. Maybe I can get the crackers to send me mail, since Dan won't. ;-) Controlling security hole distribution is like controlling guns: if you do it, only the criminals will have guns (or security hole information). The ordinary citizen is defenseless. (Before you flame, please note that I am not taking sides here, merely pointing out the parallel.) Terry R. Friedrichsen terry@venus.sunquest.com (Internet) uunet!sunquest!terry (Usenet) terry@sds.sdsc.edu (alternate address; I live in Tucson) Quote: "Do, or do not. There is no 'try'." - Yoda, The Empire Strikes Back