honey@mailrus.cc.umich.edu (peter honeyman) (11/08/88)
John Moore asks: >Anyone with a source >license check to see if he slipped a trojan horse into uucico >or uuxqt or something? there's not a line of code in honey danber or 4.3uucp that was written by rtm. however, rtm's (independent) work on adding protection to uucp served as the inspiration for honey danber's tight-assed protection scheme. (e.g., by default, don't send files unless you placed the call; e.g., by default don't allow hosts to request files). his contribution here was a valuable one. peter
dmr@alice.UUCP (11/09/88)
References: <1445@anasaz.UUCP> <772@mailrus.cc.umich.edu> Pursuant to the responses of Honeyman and Mitchell to the worries of Moore and Nagle: Robert Morris (rtm, Morris Minor, the little enchilada) spent two summers, several years ago, in our group at Bell Labs. During the first, his major accomplishment was a complete rewrite of the uucp and accompanying software. As Peter noted, his version was considerably more secure than previous versions, and some of his insights influenced HoneyDanBer uucp. We ran it on our machines for nearly a year thereafter, but dropped it in favor of HDB, mainly because HDB was rapidly gaining favor within AT&T, and Robert's version had no superiority sufficient for us to push it or keep it going in the absence of its author. I believe it was free of intentional trapdoors, unlike sendmail. In any event, the code is long gone except from backup tapes. The second summer, his major product was a streams implementation of TCP/IP that is still the basis of the Eighth/Ninth edition version of that module. It has since been reworked considerably, mainly to remove the vestiges of the socket mechanisms (he started from the Berkeley code), but again, we have never found any evidence of funny business that wasn't in what he started with. None of the work he did is in any product, and he didn't have any opportunity to tamper with the master source code-- that is really quite far away from Research. Dennis Ritchie
jfh@rpp386.Dallas.TX.US (John F. Haugh II) (11/13/88)
In article <8409@alice.UUCP> dmr@alice.UUCP writes: >None of the work he did is in any product, and he didn't have >any opportunity to tamper with the master source code-- >that is really quite far away from Research. It would be so nice if someone would undertake a security audit to insure that work other college students did, which *is* currently in production, doesn't contain any surprizes. Our friendly enchilada may not be the only prankster out there ... -- John F. Haugh II +----Make believe quote of the week---- VoiceNet: (214) 250-3311 Data: -6272 | Nancy Reagan on Artifical Trish: InterNet: jfh@rpp386.Dallas.TX.US | "Just say `No, Honey'" UucpNet : <backbone>!killer!rpp386!jfh +--------------------------------------
alb@olden.uucp (Adam L. Buchsbaum) (11/14/88)
In article <8597@rpp386.Dallas.TX.US> jfh@rpp386.Dallas.TX.US (John F. Haugh II) writes: >It would be so nice if someone would undertake a security audit to >insure that work other college students did, which *is* currently >in production, doesn't contain any surprizes. Being just an ignorant graduate student myself, I can't figure out whether this implies that all college students are suspect, anyone who is not in college is not suspect, or both? Perhaps John F. Haugh II could clarify this for me?
ncoverby@ndsuvax.UUCP (Glen Overby) (11/14/88)
In article <8597@rpp386.Dallas.TX.US> jfh@rpp386.Dallas.TX.US (John F. Haugh II) writes: >It would be so nice if someone would undertake a security audit to >insure that work other college students did, which *is* currently >in production, doesn't contain any surprizes. Why are you worried only about college students? We're not the only ones in this world to commit crimes. This security audit should go for any software posted to the net or otherwise available (anon uucp, anon FTP, etc), as well as on a per-vendor basis (who's to say that ABC computer maker didn't botch something in their port?). What you're prescribing is a pretty major task. I'm sure that if anybody with Unix Sources is sufficently worried about contamination they will perform some sort of "audit" and report the bugs back to the Keeper of the Sorces. Glen Overby ncoverby@plains.nodak.edu uunet!ndsuvax!ncoverby ncoverby@ndsuvax (Bitnet)
ccs@lazlo.UUCP (Clifford C. Skolnick) (11/14/88)
In article <8597@rpp386.Dallas.TX.US> jfh@rpp386.Dallas.TX.US (John F. Haugh II) writes: > >It would be so nice if someone would undertake a security audit to >insure that work other college students did, which *is* currently >in production, doesn't contain any surprizes. What evidence do you have that college students are evil programmers whos code should be verified? It does not take a college student to place a section of unathorized code into a program. I'm sure many programs out in the real word have similar features added by a programmer and abused by another (as this case was). I would much rather you have requested an audit on *all* code written by *any* programmer. No one person should ever be trusted so much to not validate code that person had written. This is especially true for any program that runs set-uid to root. Would you install a set-uid root program off the net without taking a real carefull look at the code? So why did all those source sites not pick up on this problem long ago? If they did notice it, they kept their mouths shut. That is just as wrong as the author of sendmail who supposidly added that code to avoid restrictive management policies. >Our friendly enchilada may not be the only prankster out there ... I take offence at your attack on college students. I am a college student and have never deliberatly comprimised the security of any code I have written or worked on. -- Clifford C. Skolnick | "You told me time makes it easy, then you never told Phone: (716) 427-8046 | me time stands still" - Gary Neuman TCP/IP: 44.68.0.195 | ...!rutgers!rochester!ritcv!ritcsh!sabin! lazlo!ccs ccs@lazlo.n1dph.ampr.org| \!kodak!pcid!gizzmo!/
m5@lynx.UUCP (Mike McNally) (11/15/88)
In article <8597@rpp386.Dallas.TX.US> jfh@rpp386.Dallas.TX.US (John F. Haugh II) writes: >It would be so nice if someone would undertake a security audit to >insure that work other college students did, which *is* currently >in production, doesn't contain any surprizes. Doesn't seem to me that a diploma forms some sort of delineation between wickedness and honesty. Any company that cares about security but only with respect to those parts of its software that were written by ``college students'' doesn't deserve serious consideration. Surely, the majority of electronic crimes are committed by employees of the victims. -- Mike McNally Lynx Real-Time Systems uucp: {voder,athsys}!lynx!m5 phone: 408 370 2233 Where equal mind and contest equal, go.
mbt@bridge2.3Com.Com (Brad Turner) (11/15/88)
In article <1777@ndsuvax.UUCP> ncoverby@ndsuvax.UUCP (Glen Overby) writes: > >In article <8597@rpp386.Dallas.TX.US> jfh@rpp386.Dallas.TX.US > (John F. Haugh II) writes: >>It would be so nice if someone would undertake a security audit to >>insure that work other college students did, which *is* currently >>in production, doesn't contain any surprizes. > >This security audit should go for any software posted to the net or >otherwise available (anon uucp, anon FTP, etc), as well as on a per-vendor >basis (who's to say that ABC computer maker didn't botch something in their >port?). > >Glen Overby >ncoverby@plains.nodak.edu uunet!ndsuvax!ncoverby >ncoverby@ndsuvax (Bitnet) (out of context of course and maybe not 100% exact) Frank Burns: I wouldn't be so paranoid if everybody wasn't watching me Let's all put on our paronia pants and do the little "somebody is out to to get me" dance! I'm not suggesting that security should be ignored, or that code should never be looked at after the first successful compile. It's just that I hate to see everybody join a posse/lynch mob because of ONE (not several, ONE) incident. So.... Face it unless you are willing to personally inspect every piece of source for every executable that's on your machine you're potentially compromising the security of your system. It's no good to "audit" the code, because how to you know the auditors can be trusted? Couldn't one dishonest auditor do more harm then than anybody else. Think about it, one central group in charge declaring what is and is not fit. A single point of failure! What it comes down to is the fact that systems these days are far to complicated for a single person to deal with. You have to trust your fellow human being at some point in time, otherwise everybody will be doomed to re-inventing the wheel. Do you personally have the time and expertise to code a boot load PROM? Then go from there to a monitor program to an assembley to a compiler to....vmunix...>rest-of-unix<....ad nausem. Then if you really want to get paranoid, how about the hardware? You're going to have to design your own CPU, mask it yourself, produce it yourself. Don't forget the glue logic, make your own 74xxx chips, resistors, caps etc... Where does it stop???? I give up lets disband society and all go live in woods where only the wildlife can get ya'. While I'm on my soapbox (and guilty)...Is it possible that we (the computing community) have wasted more time discussing/arguing about the worm than we spent discovering/disecting/erradicating/patching? My personal view I that the gossip fence has gotten overcrowded and we need to let the issue die and quit wasting net bandwidth rehashing every different flavor of the same argument/issue. Thanks for your time, have an OK day, and DON'T post a followup. -brad- -- v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v Brad Turner 1330 Ashleybrook Ln. (919) 768-2097 | I speak for myself 3Com Corp. Winston-Salem, NC 27103 mbt@bridge2 | NOT for my employer.
henry@utzoo.uucp (Henry Spencer) (11/16/88)
In article <90@lazlo.UUCP> ccs@lazlo.UUCP (Clifford C. Skolnick) writes: >What evidence do you have that college students are evil programmers >whos code should be verified? It does not take a college student to place >a section of unathorized code into a program... The problem with college students is not that they are evil crackers, but that college software quality control is not the best, to put it mildly. Colleges are organized to produce ideas and degrees, not high-quality software. It shows. The popular software distribution from a certain university in southern California is a good example of interesting ideas often marred by first-cut [i.e. poorly thought out, messy, sometimes incomplete] designs and implementations. This is not to say that any random commercial organization, like, say, one whose name has three initials and an "&" in it, will *necessarily* do better. But those people can, in theory, afford to spend some money on quality assurance. Universities generally can't. -- Sendmail is a bug, | Henry Spencer at U of Toronto Zoology not a feature. | uunet!attcan!utzoo!henry henry@zoo.toronto.edu
jwm@stdc.jhuapl.edu (Jim Meritt) (11/17/88)
In article <90@lazlo.UUCP> ccs@lazlo.UUCP (Clifford C. Skolnick) writes: }In article <8597@rpp386.Dallas.TX.US> jfh@rpp386.Dallas.TX.US (John F. Haugh II) writes: }> }>It would be so nice if someone would undertake a security audit to }>insure that work other college students did, which *is* currently }>in production, doesn't contain any surprizes. } }What evidence do you have that college students are evil programmers }whos code should be verified? It does not take a college student to place }a section of unathorized code into a program. I'm sure many programs out }in the real word have similar features added by a programmer and abused }by another (as this case was). OK set folk, where am I wrong? (go to it, weemba!) I do not see: 1. The original post did not say ALL college students are "evil programmers" (it implied to me that most were not, though) 2. The original post said ONE college student was (rtm) 3. The original post did not say ONLY college students are "evil programmers". So why the flail, unless the old "protesteth too much" syndrome? Disclaimer: "It's mine! All mine!!!" - D. Duck
terryl@tekcrl.CRL.TEK.COM (11/17/88)
In article <1988Nov15.180821.20324@utzoo.uucp> henry@utzoo.uucp (Henry Spencer) writes: >In article <90@lazlo.UUCP> ccs@lazlo.UUCP (Clifford C. Skolnick) writes: >>What evidence do you have that college students are evil programmers >>whos code should be verified? It does not take a college student to place >>a section of unathorized code into a program... > >The problem with college students is not that they are evil crackers, but >that college software quality control is not the best, to put it mildly. >Colleges are organized to produce ideas and degrees, not high-quality >software. It shows. The popular software distribution from a certain >university in southern California is a good example of interesting ideas >often marred by first-cut [i.e. poorly thought out, messy, sometimes >incomplete] designs and implementations. Careful, Henry. I know which college you're talking about, and believe me, it's not in southern California; in fact, you'll probably incur the wrath of MANY people by inadvertantly moving it from northern CA to southern CA. You see, there's this great disdain between the people of northern CA and southern CA, and they like to mention that fact as much as possible!!! (Lest anyone get the wrong idea (and for you people who couldn't spot sarcasm if it bit you on the nose and said "This is sarcasm), insert MANY (-: here!!!!) Boy Do I Hate Inews !!!! !!!!
henry@utzoo.uucp (Henry Spencer) (11/17/88)
In article <1988Nov15.180821.20324@utzoo.uucp> I wrote: >... The popular software distribution from a certain >university in southern California... Okay, so maybe Berkeley is in northern California. I never did pay much attention to foreign geography... :-) -- Sendmail is a bug, | Henry Spencer at U of Toronto Zoology not a feature. | uunet!attcan!utzoo!henry henry@zoo.toronto.edu
campbell@redsox.UUCP (Larry Campbell) (11/19/88)
In article <1988Nov15.180821.20324@utzoo.uucp> henry@utzoo.uucp (Henry Spencer) writes: } }This is not to say that any random commercial organization, like, say, }one whose name has three initials and an "&" in it, will *necessarily* }do better. But those people can, in theory, afford to spend some money }on quality assurance... Put another way, companies whose business is the sale and support of software can't afford NOT to spend money on quality assurance. -- Larry Campbell The Boston Software Works, Inc. campbell@bsw.com 120 Fulton Street wjh12!redsox!campbell Boston, MA 02146
allbery@ncoast.UUCP (Brandon S. Allbery) (11/21/88)
As quoted from <13059@princeton.Princeton.EDU> by alb@olden.uucp (Adam L. Buchsbaum): +--------------- | In article <8597@rpp386.Dallas.TX.US> jfh@rpp386.Dallas.TX.US (John F. Haugh II) writes: | >It would be so nice if someone would undertake a security audit to | >insure that work other college students did, which *is* currently | >in production, doesn't contain any surprizes. | | Being just an ignorant graduate student myself, I can't figure out | whether this implies that all college students are suspect, anyone who | is not in college is not suspect, or both? Perhaps John F. Haugh II | could clarify this for me? +--------------- You misunderstand; he's not talking about RTMorris, he's talking about the kind of peoplke who wrote sendmail, and fingerd, and other programs that might have inadvertent security holes in them. And we've *all* done it at one time or another. An independent audit of "important" code is a good idea. ++Brandon -- Brandon S. Allbery, comp.sources.misc moderator and one admin of ncoast PA UN*X uunet!hal.cwru.edu!ncoast!allbery <PREFERRED!> ncoast!allbery@hal.cwru.edu allberyb@skybridge.sdi.cwru.edu <ALSO> allbery@uunet.uu.net comp.sources.misc is moving off ncoast -- please do NOT send submissions direct Send comp.sources.misc submissions to comp-sources-misc@<backbone>.