hans@duttnph.UUCP (Hans Buurman) (11/06/88)
I have read somewhere that last week's virus checked for possible rhosts and hosts.equiv leaks, as well as trying some simple passwords in order to get in. It seems (for a variety of reasons) wise to have such a program running on a regular basis, in order to close the leaks. Better find the week spots ourselves, before someone else finds them. Now I could try to write such a program, but obviously somebody has already done so... Would it be a good idea to post this part of the virus, to help people close the gaps ? Or, would somebody mail the code to root@duttnph.uucp ? I don't want/need the whole virus. of course :-). Just the code that finds obvious security holes. Or is all this a bad idea ? I think we should use this experience, in order to make the world a safer place. By the way, what's a good newsgroup for this ? Hans ----------------------------------------------------------------------------- Hans Buurman | hans@duttnph.UUCP Pattern Recognition Group | mcvax!dutrun!duttnph!hans Faculty of Applied Physics | tel. 31 - (0) 15 - 78 46 94 Delft University of Technology | the Netherlands | ----------------------------------------------------------------------------- Disclaimer: any opinions expressed above are my own.
gore@eecs.nwu.edu (Jacob Gore) (11/08/88)
/ news.sysadmin / spaf@cs.purdue.edu (Gene Spafford) / Nov 7, 1988 / >In article <11581@bellcore.bellcore.com> karn@jupiter.UUCP (Phil R. Karn) writes: >>It sure would be nice if Morris (or someone at Cornell with access to his >>files) were to release the complete, original source for the object portion >>of the virus. > >Good heavens, no! At least, it shouldn't be widely published! >[reasonable reasons for not doing it.] Fine. There is another way. There ARE many people who are still uneasy about this (I should know, I'm one of them). After all, this person made an important tradeoff decision: by making the main body of the worm object-code only, he had to limit its distribution to machines of only two architecutes. If he had nothing to hide, why not distribute it in source form instead? It would spread much farther that way. That's the main reason that I spent all those ours worrying about the damned thing -- I could not be sure it was malignant, and I had a very strong suspicion that the author had something to hide. I'm sure many other people who worked on it have the same views. I WOULD be much more comfortable if the complete, original source was submitted to Berkeley (or any other place we can trust), and they compiled it and compared it with the worm's binaries. That way, the source would not have to be published, so fewer people would try to exploit it (it's extremely naive to think that GOOD crackers can't figure out enough of what the worm did without seeing the source). I guess I'm not that comfortable with the idea of reliably uncompiling C code. True, I know nothing about that. But come on, guys, humor us. After what we've all been through, the least Morris can do is help as all gain some peace of mind. Jacob Gore Gore@EECS.NWU.Edu Northwestern Univ., EECS Dept. {oddjob,gargoyle,att}!nucsrl!gore