weemba@garnet.berkeley.edu (Obnoxious Math Grad Student) (11/08/88)
In article <5332@medusa.cs.purdue.edu>, spaf@cs (Gene Spafford) writes: >In article <16600@agate.BERKELEY.EDU> weemba@garnet.berkeley.edu (Obnoxious Math Grad Student) writes: >>I see that you, like thousands of others, don't really understand. Robert >>T Morris Jr has done everyone a FAVOR. Instead of thanking him for maybe >>waking up people on the ARPANET to how DAMN EASY IT IS TO INFILTRATE, >That attitude is completely reprehensible! That is the exact same >attitude that places the blame for a rape on the victim; I find it >morally repugnant. This response of yours is absolutely repulsive. Instead of discussing the issues, you want to make sure everyone thinks in terms of a non-is- sue. Perhaps there are readers out there who have been raped, and don't particularly relish your worthless comparison. Poor Spaf got scared shitless about his *COMPUTERS*? Awww... Real serious trauma there. My nose bleeds for you. Why don't you bring up the Holocaust? Call me just another USENET Nazi? >Consider an analogy: [lock analogy (the obvious one) omitted] What the HELL does that matter? Are you going to run around with your heads in the sand over and over again, yelling "ain't my fault our locks are all ten years out of date"? What does it take to wake you folks up? >We cannot depend on making our systems completely secure. To do so >would require that we disconnect them from each other. There will >always be bugs and flaws, but we try to cover that by creating a sense >of responsibility and social mores that say that breaking and cracking >are bad things to do. Ooooh. A sense of responsibility and social mores? So you can declaim from the moral high ground when ARPANET goes belly up three years from now? How about a sense of intelligence and security to go with it? > Now we have to demonstrate to the world that >this is the case, and we will back it up with legal action, or we'll >continue to risk having bored students and anti-social elements >cracking whatever we replace the systems with until there is no longer >any network. Yup. Gee. Fat lot of good that will do when the REAL NASTY VIRUS comes along within the next three years. You can wail all you want about how folks *shouldn't* do this, but guess what? You still have an INTERNET to run.... And this is true whether or RTM does or does not do any time. Think about it. This isn't just rhetoric. The INTERNET may depend on you actually DOING so. ucbvax!garnet!weemba Matthew P Wiener/Brahms Gang/Berkeley CA 94720
tytso@athena.mit.edu (Theodore Y. Ts'o) (11/10/88)
In article <16672@agate.BERKELEY.EDU> weemba@garnet.berkeley.edu (Obnoxious Math Grad Student) writes: > >What the HELL does that matter? Are you going to run around with your >heads in the sand over and over again, yelling "ain't my fault our locks >are all ten years out of date"? What does it take to wake you folks up? > Stuff like this makes me wish that news.admin _WAS_ moderated. Sigh. >>We cannot depend on making our systems completely secure. To do so >>would require that we disconnect them from each other. There will >>always be bugs and flaws, but we try to cover that by creating a sense >>of responsibility and social mores that say that breaking and cracking >>are bad things to do. > >Ooooh. A sense of responsibility and social mores? So you can declaim >from the moral high ground when ARPANET goes belly up three years from >now? How about a sense of intelligence and security to go with it? Repeat after me three times. "The ARPANET cannot be made secure." Got it? Now repeat it three more times. As long as machines are connected together usefully, there will always be a chance that somewhere, somehow, someone will be able to break in. So what are we going to do about it? We have to deter people from doing anti-social things --- either by giving them a sense of ethics or stringing up people who do these things. Why do you sneer at ethics so? In a previous article, you said that the virus/worm should be released every month to keep sysadmins on there toes. Well, how about this: every month, someone will randomly spray your office with machine gun fire. That'll teach you to wear bullet-proof vests! Personally, I prefer not to wear bullet-proof vests, becuase I can get a lot more done without them on. However, I don't think the human race will come to an end because in general, people don't wear bullet-proof bests. Similarily, the ARPANET won't die because of this. I was up all night thursday fighting this thing; I'm not inclined to think it was a "harmless prank" or an "effective way to wake us up" --- just as you wouldn't think that my shooting your feet off would be a good way to remind you to wear bullet-proof armor all the time. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Theodore Ts'o bloom-beacon!mit-athena!tytso 3 Ames St., Cambridge, MA 02139 tytso@athena.mit.edu Everybody's playing the game; but nobody's rules are the same!
weemba@garnet.berkeley.edu (Obnoxious Math Grad Student) (11/10/88)
In article <7882@bloom-beacon.MIT.EDU>, tytso@athena (Theodore Y. Ts'o) writes: >In article <16672@agate.BERKELEY.EDU> weemba@garnet.berkeley.edu (Obnoxious Math Grad Student) writes: >>What the HELL does that matter? Are you going to run around with your >>heads in the sand over and over again, yelling "ain't my fault our locks >>are all ten years out of date"? What does it take to wake you folks up? >Stuff like this makes me wish that news.admin _WAS_ moderated. Sigh. [I'll pretend that this is news.admin for the sake of argument.] Why? You think it's essential that everyone play kiss ass yup yup yup regarding security? >>Ooooh. A sense of responsibility and social mores? So you can declaim >>from the moral high ground when ARPANET goes belly up three years from >>now? How about a sense of intelligence and security to go with it? >Repeat after me three times. "The ARPANET cannot be made secure." Got >it? Now repeat it three more times. Of course it can't be made secure. But it could be a hell of a lot more secure than it is now. A HELL of a LOT more. Complaining about RTM's lack of ethics is not the way to make it more secure. Got it yourself? > So what are we >going to do about it? We have to deter people from doing anti-social >things --- either by giving them a sense of ethics or stringing up >people who do these things. Why do you sneer at ethics so? Because I don't believe that ethics will work. People aren't going to get much of a way of ethics, and the stringing up of RTM you all keep foaming for is bloody unlikely. >In a previous article, you said that the virus/worm should be released >every month to keep sysadmins on their toes. No, not to keep sysadmins on their toes. To get them--and their bosses-- and maybe thus their vendors--to start making security a serious priority. And not an afterthought. And I've only floated it up as an idea for kicking around, not a mandate about what SHOULD be done. You'll recall that I used the word "drill", as in FIRE DRILL. I didn't ask for genuine FIRES. > Well, how about this: >every month, someone will randomly spray your office with machine gun >fire. That'll teach you to wear bullet-proof vests! These "proofs" by analogy are always so ludicrous. Is random machine gunning of offices an almost certainty? Maybe over in Lebanon, but not here in the USA. In contrast, is more computer cracking a certainty? YES... What are you going to argue next? That fire drills be cancelled at schools? That earthquake drills not be held here anywhere in Cali- fornia? After all, it's just as easy for you to compare these drills to your machine-gun analogy. >I was up all night thursday fighting this thing; I'm not inclined to >think it was a "harmless prank" or an "effective way to wake us up" I never claimed that it was a "harmless prank". (By the way, if you think this news.admin ought to be moderated, why do you engage in such blatant lying? Is this what Gene Spafford calls "professionalism"?) Nor did I ever claim that the Morris worm was an effective way to wake people up, other than some early theorizing before the facts were in. I'd *LIKE* to see it become such in retrospect, but the large number of people thinking "OK, I fixed the sendmail bug, let's nuke the bas- tard so that no one will ever do this again" makes me doubt this. > just as you wouldn't think that my shooting your feet off would >be a good way to remind you to wear bullet-proof armor all the time. Ignoring the fact that your analogy is indeed irrelevant, note that I'm NOT suggesting that anything crippling be done--just something that keeps security a high company/university/institute priority across ARPANET and elsewhere. I simply do not expect this attitude to come voluntarily. ucbvax!garnet!weemba Matthew P Wiener/Brahms Gang/Berkeley CA 94720
bin@rhesus.primate.wisc.edu (Brain in Neutral) (11/11/88)
From article <16800@agate.BERKELEY.EDU>, by weemba@garnet.berkeley.edu (Obnoxious Math Grad Student): > Ignoring the fact that your analogy is indeed irrelevant, note that I'm > NOT suggesting that anything crippling be done--just something that keeps > security a high company/university/institute priority across ARPANET and > elsewhere. I simply do not expect this attitude to come voluntarily. But if your "drill" isn't crippling, then it won't accomplish its intended end. Because if it's not crippling, it can be (and would be) ignored. I suspect that such drills could even be dangerous, in the sense that they could easily come to be viewed as the boy crying wolf. Then when the real virus comes in (and of course it will initially mimic a drill), all the sysadmins will yawn and say, "Oh, another drill. Hm." Also, it seems to me that belittling the value of ethics is defeatist. You yourself concur that the net will not be made totally secure, but can be made *more* secure. It seems reasonable that a greater degree of ethical behavior (instilled, say, by highly adverse consequences for unethical behavior) would also make the net *more* secure, even though not totally secure. Paul DuBois dubois@primate.wisc.edu rhesus!dubois
weemba@garnet.berkeley.edu (Obnoxious Math Grad Student) (11/11/88)
In article <425@rhesus.primate.wisc.edu>, bin@rhesus (Brain in Neutral) writes: >But if your "drill" isn't crippling, then it won't accomplish its >intended end. Because if it's not crippling, it can be (and would >be) ignored. >I suspect that such drills could even be dangerous, in the sense that >they could easily come to be viewed as the boy crying wolf. Then when >the real virus comes in (and of course it will initially mimic a drill), >all the sysadmins will yawn and say, "Oh, another drill. Hm." I only consider my proposal a first thought. Thanks for a technically oriented response. I can only hope that just a few such drills would be needed to convince people that security should be viewed seriously, not as something to patch on at the end, or to trust to ethics or a hoped-for anti-Morris verdict. >Also, it seems to me that belittling the value of ethics is defeatist. I don't see why being defeatist or not matters. Personally, I think of myself as somewhere between cynical and realistic. Anyway, I've been called worse in the past. How many sites would be wiped out if a fire hit your computer room? Are your backups in the same room as your disks and computers? This is a small potatoes question that could have big potatoes consequences, yet this kind of thinking is routinely just not done. You have to approach security in the same way. As summarized in RISKS, eg, "gets" has long been known to be a bug wait- ing to happen--and it did with the fingerd attack--yet backward-compati- bility was viewed as more important than closing this bug for the longest time. I hope to see this kind of thinking go extinct. >You yourself concur that the net will not be made totally secure, but >can be made *more* secure. It seems reasonable that a greater degree >of ethical behavior (instilled, say, by highly adverse consequences for >unethical behavior) would also make the net *more* secure, even though >not totally secure. Making theft possible only for those with the heaviest of hardware does more, I hazard, then teaching kids to "just say no" to stealing. That is, I envision some kind of security wall that discourages those with slowly maturing ethics, just by making it not worth the effort for most crackers. ucbvax!garnet!weemba Matthew P Wiener/Brahms Gang/Berkeley CA 94720
clb@loci.UUCP (Charles Brunow) (11/12/88)
> >In article <16672@agate.BERKELEY.EDU> weemba@garnet.berkeley.edu (Obnoxious Math Grad Student) writes: > > ... , note that I'm > NOT suggesting that anything crippling be done--just something that keeps > security a high company/university/institute priority across ARPANET and > elsewhere. I simply do not expect this attitude to come voluntarily. > > ucbvax!garnet!weemba Matthew P Wiener/Brahms Gang/Berkeley CA 94720 Just do it. All this blathering back and forth isn't going to do any good. Use the time to write a monthly virus and announce "THIS IS A TEST" and send it. We should vote on whether or not to moderate it, of course, and then do it anyway. If you're looking for analogies, how about Pasteur and his dead germs. I can't see how a good defense for viruses can be developed by people who have no first hand experience with them. We really need to play around with these types of things if we are to claim knowledge of effective defenses. And I'd love to see just how secure we really are, wouldn't you? I especially like to see smug fat cats get theirs, you know the "head-in- the-sand" defense which leaves their tail waving around in the air. We should also have a newsgroup for virus/worm/cracker postings. We know that they have better communications and more time to devote to the subject than the typical sys-admin. We could let them tell us what's what instead of worrying about whether or not they're reading the security lists. Maybe this should start out as a mailing list, and then use a worm to install the group net wide? Worlds of possibilities! -- CLBrunow - KA5SOF clb@loci.uucp, loci@csccat.uucp, loci@killer.dallas.tx.us Loci Products, POB 833846-131, Richardson, Texas 75083
hans@duttnph.UUCP (Hans Buurman) (11/14/88)
In article <161@loci.UUCP> clb@loci.UUCP (Charles Brunow) writes: >> >In article <16672@agate.BERKELEY.EDU> weemba@garnet.berkeley.edu (Obnoxious Math Grad Student) writes: >> >> ... , note that I'm >> NOT suggesting that anything crippling be done--just something that keeps >> security a high company/university/institute priority across ARPANET and >> elsewhere. I simply do not expect this attitude to come voluntarily. >> >> ucbvax!garnet!weemba Matthew P Wiener/Brahms Gang/Berkeley CA 94720 > > Just do it. All this blathering back and forth isn't going to > do any good. Use the time to write a monthly virus and announce > "THIS IS A TEST" and send it. We should vote on whether or not > to moderate it, of course, and then do it anyway. If you're > looking for analogies, how about Pasteur and his dead germs. Please, send us one ! I've been asking around on my own university network what people were doing with the recent virus information. There were three reactions: a) This wouldn't have happened if they had been running vendor supplied software instead of some public domain sendmail program. b) Don't put our network in a bad light. c) Attention, system administrators ! I have just found out that setuid shell scripts are a security breach ! (Yes, all these people were serious !) Mind you, we are not on the Internet yet. I can only hope that they learn before things get serious. Your virus-of-the-month might just cause that. Hans ----------------------------------------------------------------------------- Hans Buurman | hans@duttnph.UUCP Pattern Recognition Group | mcvax!dutrun!duttnph!hans Faculty of Applied Physics | tel. 31 - (0) 15 - 78 46 94 Delft University of Technology | "What this country needs is a good the Netherlands | five cents virus/worm !" ----------------------------------------------------------------------------- Disclaimer: any opinions expressed above are my own. They may have been changed by a virus, however.
allbery@ncoast.UUCP (Brandon S. Allbery) (11/22/88)
As quoted from <546@dutrun.UUCP> by hans@duttnph.UUCP (Hans Buurman): +--------------- | Mind you, we are not on the Internet yet. I can only hope that they learn | before things get serious. Your virus-of-the-month might just cause that. +--------------- <Hollow, bitter laugh> About a month and a half ago, one of the sysadmins at skybridge.sdi.cwru.edu asked me for a copy of a certain program in use on ncoast which grants use of root privileges without a password. I refused, explained why, and copied the message to ncoast's Keeper of the Root Password as part of my on-going effort to get him to stop placing convenience over security. (Said Keeper claims that the program is more secure than giving out the root password to those few people who occasionally need root access. Oh, really?) Then the Internet virus broke. I hope the sysadmins of skybridge got the message reinforced by it. Ncoast's root certainly didn't; he *still* ignores me when I ask for the root access program to be dishonorably retired. I'm still waiting for some cracker to break in that way.... (Note: I never did subscribe to the "easy password" rule, and still don't; I would bet that my passwords will not be guessed by anyone, although someone may be able to decrypt it with "fdes" or etc. I make no such claim for our beloved root. Sigh. Three possible root passwords on a system is at least two too many, even if they're well-chosen.) ++Brandon -- Brandon S. Allbery, comp.sources.misc moderator and one admin of ncoast PA UN*X uunet!hal.cwru.edu!ncoast!allbery <PREFERRED!> ncoast!allbery@hal.cwru.edu allberyb@skybridge.sdi.cwru.edu <ALSO> allbery@uunet.uu.net comp.sources.misc is moving off ncoast -- please do NOT send submissions direct Send comp.sources.misc submissions to comp-sources-misc@<backbone>.