reiter@endor.harvard.edu (Ehud Reiter) (11/09/88)
I think the vendors bear the lion's share of guilt in this affair. Why the hell didn't Sun and friends fix these security holes ages ago? I especially blame Sun, since a) I gather DEC had at least fixed the Sendmail/debug hole in ULTRIX b) Sun has been making a fuss about the snazzy new high-tech security features in 4.0. I wonder how many man-years those represent? I wonder how many man-hours (man-minutes?) it would have taken to fix the Sendmail distribution? My personal definition of `hacker': someone who loves writing snazzy new code but refuses to do code maintanance. A few months ago, I recommended to a friend that he buy a Sun for his lab. If I was asked the same question today, I doubt I would make the same recommendation, and I probably would suggest that he think twice about getting any UNIX workstation, since my unfortunate gut feeling is that most other UNIX vendors are just as irresponsible as Sun. If UNIX is going to start prospering in the real world (which had better happen, because otherwise IBM and DEC won't have any competition), then UNIX vendors are going to have to start showing a modicum of real-world responsibility about boring little details like maintanance and fixing security holes. Ehud Reiter reiter@harvard (ARPA,BITNET,UUCP) reiter@harvard.harvard.EDU (new ARPA)
childers@avsd.UUCP (Richard Childers) (11/15/88)
In article <563@husc6.harvard.edu> reiter@harvard.harvard.edu (Ehud Reiter) writes: >I think the vendors bear the lion's share of guilt in this affair. They do. Especially Sun, as it has deliberately sought a lion's share of the market and has expended a similar amount of capital to make sure it stays there at the top, in a *leadership* <ahem> position. >Why the hell didn't Sun and friends fix these security holes ages ago? Not cost-effective. (See below.) > b) Sun has been making a fuss about the snazzy new high-tech security >features in 4.0. I wonder how many man-years those represent? I wonder >how many man-hours (man-minutes?) it would have taken to fix the Sendmail >distribution? My personal definition of `hacker': someone who loves writing >snazzy new code but refuses to do code maintanance. I interviewed at Sun's Software Quality Assurance a few months ago, with both Graphics and UNIX departments of the QA group, several members of each, and in order to diffuse the finger-pointing I'll just say that everyone was of a uniform mind - except for the SQA director, a *classic* Scott McNealy clone if ever I saw one - that the week or two they had to test major releases was not adequate to the responsibility they had to the user community. See, Sun has several major models, each of them have dozens of possible confs, and it's a nightmare to test them all. Anyone who's watched SunOS go through its stages, 1.x, 2.x, 3.x, has probably seen similar factors that point to a failure to do things right. Manual pages are out of date, manual pages that conflict with program behavior, programs that conflict with manual pages, and programs that aren't documented ... what Sun does, apparently, is test ONLY the major sellers, and test ONLY the major programs, using an ancient blackbox testing program that was probably written back in 1983. It seems clear to me that someone got a raise out of 'speeding up' QA, whom they no doubt characterized as a bunch of goof-offs. How long does it take to test a version of an OS, anyway ? ( Duhhh ... ) The moment you appoint an MBA to control a bunch of dedicated engineers, you are going to see a drop in quality, as the MBA fails to see the critical issues and makes decisions based on a superficial, not substantial, understanding of the issues, both short- and long-term. I know Sun's got a few spin-doctors on the net who'll do their best to make as little of my commentaries as possible, but they are offered in the interest of freedom of information, and in the interests of honesty. Let's just say I was so turned off by problems in 3.x that weren't fixed until 3.5, that I'm not going to install 4.0 until it's gone through a bunch of revisions. Now that I know why they are there, I know they'll continue cropping up until a new set of managers assumes responsibility for Sun, which is highly unlikely. It's kind of like a job I had for a few hours in a restaurant when I was a kid. I was supposed to wash the dishes. To my mind, that meant to 'get them clean'. To the mind of my manager, that meant 'run water over them'. I was fired that night for not doing the dishes fast enough, although there was a sufficiently large supply of clean dishes to last ... -- richard -- * Tyger, tyger, burning bright, ..{amdahl,decwrl,hoptoad,hplabs, * * In the forest of the night ; octopus,pyramid,ucbvax,vixie} * * What immortal hand or eye, !avsd.UUCP!childers@tycho * * Could frame thy fearful symmetry ? AMPEX Corporation, R & D *
allbery@ncoast.UUCP (Brandon S. Allbery) (11/17/88)
As quoted from <563@husc6.harvard.edu> by reiter@endor.harvard.edu (Ehud Reiter): +--------------- | I think the vendors bear the lion's share of guilt in this affair. | Why the hell didn't Sun and friends fix these security holes ages ago? +--------------- I can answer this, perhaps not for Sun but in general. I've annoyed many a client with "Standard Security Speech #1", discussing the importance of not running all their programs from an unpassworded "root" login. And many of those clients have modems. I didn't realize just how bad the situation was until one of those clients argued back that they bought an ***** (name deleted to avoid advertising) system because a business associate had compained about 3B/2's not allowing "root" to log in on non-console terminals. Why was this so bad? "We don't want to have our users be restricted in what they can do." PEOPLE ARE IGNORANT ABOUT COMPUTERS. PEOPLE DON'T WANT SECURITY. PEOPLE WANT TO LOAD THEIR APPLICATIONS INTO THEIR COMPUTERS AND TRUST THAT GOD WILL KEEP THE CRACKERS OUT. AND THERE HAVE BEEN CASES WHEN A COMPANY WILL REFUSE TO BUY A PARTICULAR COMPUTER BECAUSE IT COMES WITH SECURITY ENFORCEMENT. The vendors have made mistakes, certainly. But their customers have a nasty tendency to consider these mistakes to be features. Common arguments used by these people when confronted with the flaws in their reasoning: "Nobody knows our computer's phone number." -- Demon-dialer programs are trivial, especially when used with smart modems that can recognize voice answers. "We don't have any information that anyone would want." -- Fine, so you don't have to worry about industrial espionage. But how about young Mr. Morris? Or the cracker gang that was broken by the FBI earlier this year, that operated in the Cleveland area? Much less interstate gangs, courtesy PC Pursuit. "It {won't,can't} happen to us." -- Needs no commentary. Ask any sysadmin on the Internet. Worse is that almost *every* small Un*x system out there has NO security, because the salesdroids that installed them and set them up didn't know about it. They have everyone run as unpassworded root. They load applications into /tmp, where any cracker can destroy the entire system with just ONE publicly-executable "rm". They don't say word one about backup procedures. And many of them don't give their customers the master disks to their software, so if their programs get blasted they're up sh*t creek without a paddle. That last paragraph is the worst part. We work primarily with resonably pure Xenix and Unix System V -- no sendmail, no fingerd, no ftpd, no susceptibility to the *current* worm. And capable of quite good security. But setting up security takes some work -- it always has, it always will -- and most salesdroids are too busy counting their commissions to consider doing that work. If they even know anything about security, which I would doubt after some of the things I've seen. The Morris worm is well on its way to becoming the kernel of my "Standard Security Speech #2". Maybe a few people will pay attention this time; one of *****'s failures is that systems ship with a "uucp" login enabled and security disabled even in HDB UUCP. All it'd take is a UUCP version of the Morris worm and a demon-dialer program to wreak havoc in these small systems. Vendors have some blame, but their oh-so-naively-trusting customers and oh-so-ignorant salesmen (or distributors' salesmen, who the vendors have no control over) have even more. Education is the answer here. It is a sad but true fact that only an actual invasion of their systems will get any response out of them; Matt Weiner is absolutely right about that. ---- Various people want to put ALL the blame on: - RJ Morris Jr - Vendors (mtXinu and Sun) - Internet sysadmins The simple fact of the matter is that all of them, and many others, are equally culpable. Something must be done about *all* of them, not just some person's pet enemy. The insensately enraged must accept that better security would make this kind of invasion much less likely; Weemba must accept that ethics will *also* make it less likely, not only because fewer people will be tempted to play with security holes but because people who've been trained to respect the computers they use will be more likely to report security holes *and do something about them* (and, not incidentally, that the only security which will effectively prevent all such breakins will also spell the end of the Brahms Gang, and the Internet, and the Usenet, and the Information Age); Ehud Reiter and people of similar mind must accept that vendors do what sells, *and* *security* *doesn't* *sell*; vendors must recognize that minimum standards MUST be insisted upon in their distributors/resellers/etc. to make sure that the security features they provide are used when they are needed. Wake up, indeed. Wake up, EVERYBODY; we've just received a warning of impending Doomsday. Stop pointing fingers at each other and DO SOMETHING ABOUT IT. [I just pushed every project I've got off the table. Next project: since I haven't seen one yet, I'm going to try to rework UUPC into a PD HDB clone. At least insofar as security features are concerned. G*d alone knows how many Xenix systems are wide open thanks to V7 UUCP...!] ++Brandon -- Brandon S. Allbery, comp.sources.misc moderator and one admin of ncoast PA UN*X uunet!hal.cwru.edu!ncoast!allbery <PREFERRED!> ncoast!allbery@hal.cwru.edu allberyb@skybridge.sdi.cwru.edu <ALSO> allbery@uunet.uu.net comp.sources.misc is moving off ncoast -- please do NOT send submissions direct Send comp.sources.misc submissions to comp-sources-misc@<backbone>.
clewis@ecicrl.UUCP (Chris Lewis) (11/22/88)
In article <13139@ncoast.UUCP> allbery@ncoast.UUCP (Brandon S. Allbery) writes: >As quoted from <563@husc6.harvard.edu> by reiter@endor.harvard.edu (Ehud Reiter): >| I think the vendors bear the lion's share of guilt in this affair. >| Why the hell didn't Sun and friends fix these security holes ages ago? >PEOPLE ARE IGNORANT ABOUT COMPUTERS. PEOPLE DON'T WANT SECURITY. PEOPLE >WANT TO LOAD THEIR APPLICATIONS INTO THEIR COMPUTERS AND TRUST THAT GOD WILL >KEEP THE CRACKERS OUT. AND THERE HAVE BEEN CASES WHEN A COMPANY WILL REFUSE >TO BUY A PARTICULAR COMPUTER BECAUSE IT COMES WITH SECURITY ENFORCEMENT. [rest of diatribe deleted...] Here here! One of our main lines of business is picking up the pieces after various salesdroids (usually high priced "consultants" or sellers of packaged basic software) have totally trashed some poor customer's machine. Security? Hah! EVERY silly little basic mailing list program simply *has* to run root. No userids, *everybody* runs root. And, of course, every basic program simply *has* to have the printer directly - no spoolers for them. What do you mean something else wants to use the printer? Closing files? No that's too difficult. If a terminal hangs? Simple, push reset on the computer! "What do you mean that might damage it? It didn't the 6 times I did today! I've programmed in basic on Wang 2200's for 10 years, don't tell *me* how UNIX computers work". Sigh. We're not letting *any* of our customers hook up modems until we've unravelled the mess their consultants have made... No, the majority of machines on the net aren't anywhere near as bad as that. Thank god. But, take heed about the security issues being raised in this newsgroup! Sure, some vendors have made somewhat silly decisions or let things slip. However, maintaining the amount of software in a typical UNIX release is an awesome task (considering the sheer quantity of software involved). Frankly, the biggest cause of holes is sloppy or inept SA's, inadequate documentation or training (does *your* company make sure that everybody has the right manuals or training?) and insufficient commitment to administration by the system's owners. -- Chris Lewis, Markham, Ontario, Canada {uunet!attcan,utgpu,yunexus,utzoo}!lsuc!ecicrl!clewis Ferret Mailing list: ...!lsuc!gate!eci386!ferret-request (or lsuc!gate!eci386!clewis or lsuc!clewis)