mkkam@csuna.cs.uh.edu (Francis Kam) (11/08/88)
Quite a lot of discussions on private security mailing list, whether or not to disclose Morris's worm source, ..., and so on. After all, what would/could be done after more and more security holes are found within the private security mailing list community? Would there be plans for releasing security hole fixes constantly (if that many holes)? Why are fixes sent out only after the holes were made known and damages caused? As far as the sendmail "debug" hole is concerned, I don't think Morris was the only one in this world knew about it before the incidence. People might argue if fixes were sent out about this sendmail bug, some malicious hackers might take advantage of this to attack systems not yet have the fixes implemented. This is a valid worry, but the real problem lies in the lack of a proper way to control and distribute patches like these. Come to think of these: students write some important system utilities during their graduate studies (might be undergraduate too); they have their products (after so much review) turned in and graduated to the jungle outside; since it is a jungle, he/she must have no time to maintain the code while it is being incorporated and distributed to a wide variety of users (like BSD 4.x users); then some manufacturers rewrite/adopt the code (like Sun), and distributes it in binary only form to users (like my site). It is really surprising to me that Sun's sendmail as of SunOS 4.0 does not have the "debug" mode turned off. In fact, it really doesn't matter whether users buy the source license or not, since I think few of these source license holders would look at them and try to patch security holes. You know it really surprised me when I woke up that morning after scratching my head until 3 about what those '(sh)' processes were doing and heard that NASA, MIT, Stanford, UCB, SRI, ...etc. were attacked by that worm. I thought it should only have affected those sites which do not have the Unix source, or have the source but don't bother to look at it. On the other hand, if this is really the BSD/Unix philosophy that codes are sent out as is and there is no guarantee on anything that could happen, I really would worry how Unix can be treated seriously in the coming decade. It is like a kid who grows up but cannot assume any responsibility. I can see people are enthusiastic and concerned about patching, reverse-engineering, and distributing the secrets they found in the worm code. When I received these patches, I really said thank god to them with that kind of feeling that my system is safe now. But the more I think about it now, the more I would say this is not enough. What if my files (and all my users') were all wiped off at the time I received the patches? What if NASA has to spend days to rebuild the root of all their machines and restore files from previous backup? What if some important real-time processings were interrupted why the worm wiped out and crashed the system? In brief: should we spend more effort in prevention than cleaning up the mess? ------------- Francis Kam CSC-3475 Internet: mkkam@cs.uh.edu Computer Science Department mkkam@sun1.cs.uh.edu University of Houston CSNET: mkkam@houston.csnet 4800 Calhoun Phone: (713)749-1748 Houston, TX 77004. (713)749-4791