kak@hico2.UUCP (Kris A. Kugel) (03/05/90)
For the most part, I believe most of the 3b1/7300 owners out there have fixed the most blatent security holes on their systems (logins without passwords, and *VERY* serious permissions holes) I recently restored my 3B1 from scratch, and typed (by hand) a security audit shell program from the book, "UNIX SYSTEMS SECURITY". Given the time and effort it took to type and debug the damn thing in, it seems to me that I could save some other poor souls the effort by making some kinda information available. Now, I can: 1. post the results of the security audit to the world (possibly creating awareness of the holes to those we would rather stay ignorant, and before the holes can be fixed) 2. post the security auditing program (probably violating copyright) 3. mail the results to anybody who requests them (assumes some kinda tracking of who gets it is better than nothing, not all that much safer, and a pain in the butt for me) Seems to me we already had something like this discussion, but I forgot the concensus opinion (if there was one). I'm kinda leaning towards #1 myself. Any opinions? Kris A. Kugel (201) 842-2707 {uunet,att,rutgers}!westmark <--daily {ssbn,zorch,zinn,ditka,daver,attdso} <--semi-daily {wldrdg}!hico2!kak <--maybe {stc-auts} <--seems dead for 9600
levin@magnus.Hotline.Com (Michael M Levin) (03/06/90)
In article <200@hico2.UUCP> kak@hico2.UUCP (Kris A. Kugel) writes: >For the most part, I believe most of the 3b1/7300 owners >out there have fixed the most blatent security holes on >>....... >Given the time and effort it took to type and debug the damn >thing in, it seems to me that I could save some other poor souls >the effort by making some kinda information available. I think that since you went to all the trouble, it would be a shame for it to go to waste. >Now, I can: > >****2. post the security auditing program (probably violating copyright)**** > I like #2 myself. I think that you should check it out, and find out if there is indeed any problem. Another thought is, just send it (via email) to those sites who request it. Is there a specific copyright prohibiting electronic images? If so, you may have already violated it. If not, then there wouldn't be a problem (provided, of course, you give credit where it's due). If you find that there isn't ANY way to implement option 2, without endangering yourself, then I suppose that your first or third choices will have to do. I VOTE FOR # 2 !!!! Mike Levin -- _ _ | | ___ ___ |_| ___ Michael Levin SilentRadio Headquarters- Los Angeles | |/ ._\| | || || \ 20732 Lassen Street, Chatsworth CA 91311 U.S.A. |_|\___/ \_/ |_||_|_| E-Mail: levin@Hotline.Com {att|csun|srhqla}!magnus!mml
kak@hico2.UUCP (Kris A. Kugel) (03/09/90)
In article <200@hico2.UUCP>, kak@hico2.UUCP (Kris A. Kugel) writes: > Now, I can: > 1. post the results of the security audit to the world > (possibly creating awareness of the holes to those > we would rather stay ignorant, and before the holes can be fixed) So far, I've only gotten one objection to this suggestion. If anybody is nervous about this, I'd like to point out that this program isn't reporting the subtle holes, rather it finds more blatant holes on the one hand, and gives suggestions for possible holes on the other. (like reporting all suid and sgid files) > 2. post the security auditing program (probably violating copyright) If somebody comes up with a contact point for the authors, I'll post it if they say ok. This was a popular suggestion, but I've decided I'll give the authors the same consideration that I'd want. I won't have time to track them down immediately. > 3. mail the results to anybody who requests them > (assumes some kinda tracking of who gets it is better than nothing, > not all that much safer, and a pain in the butt for me) I won't have time for this. > Sorry for the delays in responding, I will send approprite mail, etc. when I get back from out-of-town after this weekend. Kris A. Kugel (201) 842-2707 {uunet,att,rutgers}!westmark <--daily {ssbn,zorch,zinn,ditka,daver,attdso} <--semi-daily {wldrdg}!hico2!kak <--maybe {stc-auts} <--seems dead for 9600 P.S. to s5000!gh - the last mail I sent to your machine (on a different subject) got bounced. -Kris