[news.sysadmin] Security hole patches

mkkam@csuna.cs.uh.edu (Francis Kam) (11/08/88)

Quite a lot of discussions on private security mailing list, whether or
not to disclose Morris's worm source, ..., and so on.  After all, what
would/could be done after more and more security holes are found within
the private security mailing list community?  Would there be plans for
releasing security hole fixes constantly (if that many holes)?  Why are
fixes sent out only after the holes were made known and damages caused?
As far as the sendmail "debug" hole is concerned, I don't think Morris
was the only one in this world knew about it before the incidence.  

People might argue if fixes were sent out about this sendmail bug, some
malicious hackers might take advantage of this to attack systems not yet
have the fixes implemented.  This is a valid worry, but the real problem
lies in the lack of a proper way to control and distribute patches like
these.  Come to think of these: students write some important system
utilities during their graduate studies (might be undergraduate too);
they have their products (after so much review) turned in and graduated
to the jungle outside; since it is a jungle, he/she must have no time to
maintain the code while it is being incorporated and distributed to a
wide variety of users (like BSD 4.x users); then some manufacturers
rewrite/adopt the code (like Sun), and distributes it in binary only
form to users (like my site).  It is really surprising to me that Sun's
sendmail as of SunOS 4.0 does not have the "debug" mode turned off.  In
fact, it really doesn't matter whether users buy the source license or
not, since I think few of these source license holders would look at
them and try to patch security holes.  

You know it really surprised me when I woke up that morning after
scratching my head until 3 about what those '(sh)' processes were doing
and heard that NASA, MIT, Stanford, UCB, SRI, ...etc. were attacked by
that worm. I thought it should only have affected those sites which do not have
the Unix source, or have the source but don't bother to look at it.
On the other hand, if this is really the BSD/Unix philosophy that codes are
sent out as is and there is no guarantee on anything that could happen,
I really would worry how Unix can be treated seriously in the coming
decade.  It is like a kid who grows up but cannot assume any
responsibility.  

I can see people are enthusiastic and concerned about patching,
reverse-engineering, and distributing the secrets they found in the worm
code.  When I received these patches, I really said thank god to them
with that kind of feeling that my system is safe now.  But the more I
think about it now, the more I would say this is not enough.  What if my
files (and all my users') were all wiped off at the time I received the
patches?  What if NASA has to spend days to rebuild the root of all
their machines and restore files from previous backup?  What if some
important real-time processings were interrupted why the worm wiped out
and crashed the system?  In brief: should we spend more effort in
prevention than cleaning up the mess?

-------------
Francis Kam                           CSC-3475
Internet: mkkam@cs.uh.edu             Computer Science Department
          mkkam@sun1.cs.uh.edu        University of Houston
CSNET:    mkkam@houston.csnet         4800 Calhoun
Phone: (713)749-1748                  Houston, TX 77004.
       (713)749-4791