scs@itivax.UUCP (Steve C. Simmons) (11/08/88)
In article <1294@tmpmbx.UUCP> pengo@tmpmbx.UUCP (Hans H. Huebner) writes: >Maybe you should better thank this guy as well, since he revealed some >nasty bugs in widespread operating systems. He SURELY showed everyone that >computer systems are not secure, and that security IS a thing one has to be >aware of. Just imagine what would have happened if the worm/virus had >contained some nasty code to destroy files or the like. The sendmail bug >certainly gave the worm access rights to destroy mail and eventually other >vital system information. > >Let's be happy that it is over, and that the Internet is now more secure. Let's not. Suppose you found a security hole that would let you assasinate the president. Should you: (a) Tell the secret service, -- or -- (b) Take a toy gun and take advantage of the hole? If you chose (b), don't be surprised if the secret service gives you a sudden case of lead poisoning. The ethical thing to do would have been to inform the local sysadm of the hole, and get the patch out as has been done in other recent (non-worm) cases. Instead this guy chose to keep his knowledge a secret and "play" with it. He's as culpable as if he'd accidently dropped a vial full of smallpox bacteria in a public place. -- Steve Simmons ...!umix!itivax!scs Industrial Technology Institute, Ann Arbor, MI. "You can't get here from here."
markc@hpsmtc1.HP.COM (Mark Corscadden) (11/09/88)
> In article <1294@tmpmbx.UUCP> pengo@tmpmbx.UUCP (Hans H. Huebner) writes: > >Maybe you should better thank this guy as well, since he revealed some > >nasty bugs in widespread operating systems. He SURELY showed everyone that > >computer systems are not secure, and that security IS a thing one has to be > >aware of. > > People keep saying this. Fact is, I already knew that computer systems are > not secure. I knew that the Internet is not secure. I knew that sendmail is > one of the most insecure mailers around. And I sure hope no one out there > thought differently even before the worm. He didn't teach me a whole lot. He > just wasted my time. And I'm not going to thank someone for wasting my time. Your response, "I already knew that computer systems are not secure", is all the more reason to believe that "this guy" has done more than a little good with this hack. Unfortunately, large communities are almost never motivated by a purely intellectual understanding of a potential danger. No matter *how good* their information is, it's just information and easy to ignore. The sad fact is that people in mass (and individuals too?) react very differently to direct experience then they do to warnings. Witness the many fools (myself included!) who continue to live unprepared on a major California fault line, knowing that it's just a gamble whether a major shaker will hit in the near future - and a sure bet that one will hit before too many decades go by. If mother nature was nice enough to shake to Bay Area with several strong, but not devastating, 'quakes before a really big one hit I'm sure many lives would be saved. My point is that "this guy", by pulling this hack, has had an impact that no amount of discussion and information sharing can equal. And the 'quake analogy is accurate in more way than one: the chances that our networked computer environment will go for another 30 years without a major disaster striking are about as good as my chances of living in the Bay Area for another 30 years without a major earthquake striking. If anything, I'm guessing that this hack, in spite of the amount of money and time it cost, was still mild enough that it will be yesterday's boring news in a month or so, and we're not likely to react strongly enough to the warning it has provided :-( Mark Corscadden
klm@cme-durer.ARPA (Ken Manheimer) (11/09/88)
In article <367@itivax.UUCP> scs@itivax.UUCP (Steve C. Simmons) writes: >In article <1294@tmpmbx.UUCP> pengo@tmpmbx.UUCP (Hans H. Huebner) writes: >> [...] >>Let's be happy that it is over, and that the Internet is now more secure. > >Let's not. Suppose you found a security hole that would let you assasinate > [...] > >The ethical thing to do would have been to inform the local sysadm >of the hole, and get the patch out as has been done in other recent >(non-worm) cases. Instead this guy chose to keep his knowledge a >secret and "play" with it. No no no no no no no. Ethical thing to do?? Is it not relevant to ethical considerations that you take some sort of effective counteraction? Inform the local sysadm of the hole?? And what if the local sysadm already knew about the hole, and said "Yeah, if you invoke help in sendmail's interpreted mode it talks about this debug option - don't worry so much, everybody knows about it, and nothing bad has happened." And then even if something was posted about it, what portion of the sys-admin concerned computer population do you think such a portion would reach, and what portion of them do you think would take action? These are, for the most part, not unknown bugs we're talking about, hey? There is enourmous investment in computing business/operating system development to just try to keep up with, and attempt to tame, the problems that bite you. The costs of less immediate threats, like "obscure" security holes, are abstract enough to make plans to fix them fall through the cracks. If you don't agree, consider (as people have mentioned repeatedly) that the flaws the worm exploited are generally acknowledged to not be new or particularly abstruse bugs - the potential application of the sendmail debug option is relatively obvious, if you happen to be aware of its existence. They are (hopefully 'were') entrenched bugs, with concerns about fixing them outweighed by the endorsement of their presence in "all the other versions and incarnations" of bsd operating systems. "If the (other) companies don't care about them, why should i?" Then along comes someone who gets the bugs on the front page of most newspapers. This is no mean feat. Resolving these bugs, which someone should have invested time to do already, becomes the chore of (very) numerous sys admins around the net, and everyone gets some public egg on their faces for not having taken care of the problem previously. However, the way it happened had all the earmarks of a great adventure with a happy ending - the shock and challenge of an unknown invader, mustering of defensive forces ("disease control" in various computing centers), recovery of atrophied lines of communication, contributions of individual heroes on the front lines, sweat, diagnosis, and solution of the problem, tracking (and discovery!) of the mysterious culprit, and controversy, lots of controversy. People were mobilized and had the opportunity to meet with success. That's good. I think the general public got the impression of a victory of the mythical computer wizards over a ferocious dragon, rather than the defense of concerned computer hackers over another hacker's heavy (and proliferous) but entirely toothless worm. And that impression is not too bad to have around, either. As far as i'm concerned, the real danger right now concerns finding a balanced response to the situation - obviously the climate regarding system security is going to change. If not enough effort is invested, the copycat hacks that we'll be seeing (very soon now) will outstrip the improvements, get through, and some significant portion of them won't be so benign as our promiscuous little worm... On the other hand, if administration becomes reactionary in their attitude towards the network and takes a facist, "curtail-access" attitude, then we're all going to see our work become more difficult, and, for that matter, less enjoyable. I have heard hints that the R Morris intended for the worm to make its journey and go away, leaving only definite evidence that it had been everywhere, so he could then say "see what's possible?" I would bet that if he had accomplished this the story would not have made the front pages of the New York Times or the Washington Post, and fewer sysAdmin's supervisors would be on their sysAdmin's backs. I suppose this would be preferable from at least the sysAdmin's perspectives, and the shock would be sufficient to get some action (and avoid administrative fascism), anyway. Still, i feel that the mobilization and eventual kudos effected to meet the challenge of an overt and active intruder to our cozy world is the best attitude to start to get out of our collective complacency. >Steve Simmons ...!umix!itivax!scs >Industrial Technology Institute, Ann Arbor, MI. >"You can't get here from here." Ken Manheimer klm@cme.nbs.gov or ..!uunet!cme-durer!klm National Institute of Standards and Technology (Formerly "National Bureau of Standards") Factory Automation Systems, Software Support These are not a sentence, these are pixels.
honey@mailrus.cc.umich.edu (peter honeyman) (11/09/88)
Steve C. Simmons writes: >The ethical thing to do would have been to inform the local sysadm >of the hole, and get the patch out as has been done in other recent >(non-worm) cases. Instead this guy chose to keep his knowledge a >secret and "play" with it. He's as culpable as if he'd accidently >dropped a vial full of smallpox bacteria in a public place. analogies aside, what's your opinion of people who now claim to have known about the bugs for years? peter
scs@itivax.UUCP (Steve C. Simmons) (11/10/88)
In article <777@mailrus.cc.umich.edu> honey@citi.umich.edu (peter honeyman) writes: >analogies aside, what's your opinion of people who now claim to have >known about the bugs for years? > peter Low, but I'm willing to judge on a case by case basis :-). If someone has known for years and made good faith effort to inform the responsible parties both on the vendor and user side, one can ask for no more. -- Steve Simmons ...!umix!itivax!scs Industrial Technology Institute, Ann Arbor, MI. "You can't get here from here."
scs@itivax.UUCP (Steve C. Simmons) (11/10/88)
In article <709@stylus.cme-durer.ARPA> klm@stylus (Ken Manheimer) writes: >In article <367@itivax.UUCP> scs@itivax.UUCP (Steve C. Simmons) writes: >>The ethical thing to do would have been to inform the local sysadm >>of the hole, and get the patch out as has been done in other recent >>(non-worm) cases. Instead this guy chose to keep his knowledge a >>secret and "play" with it. > >No no no no no no no. > >Ethical thing to do?? Is it not relevant to ethical considerations >that you take some sort of effective counteraction? Inform the local >sysadm of the hole?? And what if the local sysadm already knew about >the hole, and said "Yeah, if you invoke help in sendmail's interpreted >mode it talks about this debug option - don't worry so much, everybody >knows about it, and nothing bad has happened." >[[and goes on to an excellent discussion]] The arguement you make is a general ethical one, and has merit. But this isn't talk.philosophy (yeah, I know I started the thread :-)). If we grant Morris the best of motives ("see how easy I did X?"), it feels very much like someone who, in order to show his local fire department is worthless, starts a "safe" fire. Unfortunately it gets out of hand and burns his whole house down. Yes, when the authorities will not allow time/money/resources to do the security fixes the guy who knows of the hole is in a tough spot. Two wrongs, tho, don't make it right. As for the folks who claim we're all better off because of this, I'm curious. What fixes have come forward since the worm *but not related to it*? None that I've seen. Folks are suddenly a lot more security conscious in general but are applying fixes only on this relatively narrow point. I'd say that we've had only a narrow improvement so far. -- Steve Simmons ...!umix!itivax!scs Industrial Technology Institute, Ann Arbor, MI. "You can't get here from here."
gore@eecs.nwu.edu (Jacob Gore) (11/11/88)
/ news.admin / scs@itivax.UUCP (Steve C. Simmons) / Nov 10, 1988 / >it feels very much like someone who, in order to show his local fire >department is worthless, starts a "safe" fire. Unfortunately it gets >out of hand and burns his whole house down. Funny... just this morning, I was thinking along the same line, and caught myself wondering if the Yellowstone fire was caused by a pyro who missed his cracker calling (half ":-)"). Jacob Gore Gore@EECS.NWU.Edu Northwestern Univ., EECS Dept. {oddjob,gargoyle,att}!nucsrl!gore
john@frog.UUCP (John Woods) (11/12/88)
In article <372@itivax.UUCP>, scs@itivax.UUCP (Steve C. Simmons) writes: > As for the folks who claim we're all better off because of this, I'm > curious. What fixes have come forward since the worm *but not related > to it*? None that I've seen. Folks are suddenly a lot more security > conscious in general but are applying fixes only on this relatively > narrow point. I'd say that we've had only a narrow improvement so far. > That's because all the people who know of existing bugs still don't want to openly publish any bug fixes because Something Bad Might Happen. That's because they just don't learn. Something bad will happen, again and again and again, and they'll just say "I knew of that bug years ago, so I haven't learned anything new." Everyone who wants to strangle the wormer raise your right hand. Everyone who knew about these bugs but didn't openly publish fixes for them raise your left hand. Everyone holding both hands up: please place them around your own neck and throttle yourself. -- John Woods, Charles River Data Systems, Framingham MA, (617) 626-1101 ...!decvax!frog!john, john@frog.UUCP, ...!mit-eddie!jfw, jfw@eddie.mit.edu The preceeding is the official opinion of the management of radio station WB7EEL.
mak@ndc.UUCP (Mike Klaus) (11/16/88)
In article <367@itivax.UUCP>, scs@itivax.UUCP (Steve C. Simmons) writes: > Let's not. Suppose you found a security hole that would let you assasinate > the president. Should you: > (a) Tell the secret service, Dumb idea. You would have to answer too many questions. like, "Why were you thinking about this?" "How did you find out?" "You aren't supposed to know that. Who told you?" "When were you planning to do this?" "We don't believe you." "We can't have you knowing this...." "You have broken several laws already. Come with us....." mak "We're above the law. We can do anything to you that we want. Take the pills, or we'll give you a shot...." - the thought police