alt%aids-unix@sri-unix.UUCP (06/18/83)
From: Howard Alt <alt@aids-unix> There are important things reguarding the security of UNIX that need to be discussed. To make the discussions more valuable, it is necessary for many people to contribute thier ideas and thoughts on the matter. I agree that Unix-Wizards might not be the place for such a discussion to take place, but we need to find some way to include people in discussions, and not have "undesireables" reading the list. I am the system programmer at this site, and I am very interested in the problems that others have had with security so I can take steps to keep my system secure. I can imagine that a few bugs still exist in my system, and I would like to take care of them. It seems that people who break into computers have a great advantage in that they feel free to talk to others about how they did it, whereas in our case, we can't talk about problems that we have had with security for fear of giving the wrong person more info. Clearly, this problem is not an easy one to solve. What is required is a form of communication that has a controlled audience. I purpose that we set up the following: an alias at each site that the system administrator has set up. One copy (and only one) would go out to each site, and system administrator would be responsible for keeping people off the list who shouldn't see it. We must assume that people who are given root password are people that can be trusted. This is not the most secure system in the world, but I can't think of much more that could be done. Of course, some sort of verification of the "Please add this site" must be done, but I don't see this as a problem. Perhaps a name like Unix-Security would be appropriate. Of course, this should be limited to System managers, and System programmers. Well, any comments/flames/whatever should go to the list for further discussion. Howard.
pdl@root44.UUCP (06/22/83)
*** FLAME ON *** ``The only things that need guarding are those which are guarded''. (Or to put it another way: the more paranoid you are about your system, the more people will try to break it.) The only system administrators who find systems being broken are those who think (or say) that it can't be done. Sure, let's discuss UN*X security, but do it OPENLY, otherwise you'll just be encouraging your local system-smashers to bust the news system to enable them to read the `secure news'. Let us not fool ourselves: NO timesharing system is secure. If you want to you can tap into the cables connecting to the terminals, and read logins and passwords off as people type them (even if cables are armoured, you could probably do the same thing with a sensitive enough pickup), so please don't say ``I've got nearly all of the security bugs out'', it's just plain not true. To summarise: paranoia is contagious, if the system boss has it, so will the hackers who use/abuse the system. This is counter-productive and anti-social. *** FLAME OFF *** I'm sorry if this sounds abusive, but systems administrators always get a reputation for paranoia anyway, and this sort of thing just encourages it. Yours in anticipation of REALLY friendly systems, Dave Lukes (...!vax135!ukc!root44!pdl)
edhall%rand-unix@sri-unix.UUCP (06/28/83)
A simple parable: Foobar Home Development, Inc. builds a `status' housing tract. Although the locks Foobar put on the homes look secure enough, there exists a way to open any lock in seconds with simple household tools, and without making the entry obvious. Johnny Admins, a resident of the new tract, discovers the problem quite by accident. He decides to print up some flyers describing the problem and place them on the windshields of cars at a local shopping center. Did Johnny do the right thing? I think most people's answer would be `no'. And I propose that posting computer security holes to a semi-public computer bulletin-board, such as this, is equally as wrong. The argument that ``security breaches are going to happen anyway whether we disclose their techniques or not,'' doesn't work for me. And I further propose that the reason why most of the readers of this forum, myself included, don't think in these terms is that we are so involved in the technical details of computing that we have lost all contact with the moral implications of what we are doing. The attitude of a lot of computer- wise people I know is that ``if I can figure out a way of doing it, then it must be OK to do (when it involves a computer).'' * * * * * It would probably be best if this discussion moved from Unix-Wizards to a more appropriate forum. -Ed Hall
ron%brl-bmd@sri-unix.UUCP (06/28/83)
From: Ron Natalie <ron@brl-bmd> I'm sorry, but I must disagree with you. Being from some of the more paranoid sites, we have fixed a lot of the bugs that we have found (or experienced I might say) that relate to both system security (like breaking in, reading protected files, etc...) and just plain performance pains (like the process fork-a-holics). I would like to know about **any** bugs (one of the main reasons for lists of this type) so that I can fix them. If you really feel threatened you should read the list and plug the holes, as someone might find them even if they are not reading UNIX-WIZARDS. Perhaps we can reach a compromise by suggesting that security type bugs be accompanied by fixes or suggestions to avoid them. Hiding the fact that bugs exist may keep some of the less experienced hackers from breaking things, but will also keep the system maintainers from defending their systems against the more experienced goons. I came from a University who had a student run computer, and I worked both sides of the wall (both breaker and fixer). We had no UNIX-WIZARDS then, we only knew of the existance of a bug when the breaker was either flamboyant or sloppy enough to make it known to the rest of us what was happening. Real trivial errors were fixed immediately but since there was no way to inform the other sites about the bug, the mischievous just hopped on (using "stolen" telephone numbers) on a TIP and blew away some poor unsuspecting system accross the ARPANET. Our only respite was the UNIX conferences, where security was discussed by the few real UNIX gurus at the time, in bull sessions in the dorm of the University sponsoring the conference. The type of system maintainer who does not correct bugs in his system that are called to his attention from UNIX-WIZARDS, probably has some well known security problems that people are already exploiting (that they didn't obtain by reading UNIX-WIZARDS either). While I do not condone the use of this list as a source of ways to break security, I don't think that sticking our heads in the sand will make the problems go away. I feel our best bet is to keep informed. -Ron
DBrown.TSDC%hi-multics@sri-unix.UUCP (06/28/83)
This message is empty.
edhall%rand-unix@sri-unix.UUCP (06/28/83)
Not to name any names, but I know off-hand of several individuals with access to UNIX-WIZARDS that wouldn't bat an eye at trying each and every security hole they find on each and every UNIX system they gain access to. I learned long ago that even access to the ARPA net (much less USENET) is not limited to `good guys'. Just hang around a university computer center for a while, and you'll see just what I mean. Perhaps UNIX-WIZARDS gets to a more exclusive audience than people parked at a suburban shopping center, but I see no reason to think that the audience is a more benign one... I sure wish it was. -Ed
rcj@burl.UUCP (07/01/83)
Regarding your parable about Johnny Admins and the defective house locks: Scenario A: Johnny puts flyers on the cars in the parking lots, the developers are informed, maybe (MAYBE) one house is broken into before the locks are fixed. Scenario B: Johnny changes his own locks and says nothing. Within the next six months, seven houses are broken into, ransacked, innocent children maimed, housewives raped, and husbands tied up and forced to watch Gomer Pyle reruns for hours on end. Which scenario would you rather live in?? Submitted for your approval..... -- The MAD Programmer -- 919-228-3814 (Cornet 291) alias: Curtis Jackson ...![ floyd sb1 mhuxv ]!burl!rcj