honey@mailrus.cc.umich.edu (peter honeyman) (11/08/88)
John Moore asks: >Anyone with a source >license check to see if he slipped a trojan horse into uucico >or uuxqt or something? there's not a line of code in honey danber or 4.3uucp that was written by rtm. however, rtm's (independent) work on adding protection to uucp served as the inspiration for honey danber's tight-assed protection scheme. (e.g., by default, don't send files unless you placed the call; e.g., by default don't allow hosts to request files). his contribution here was a valuable one. peter
dmr@alice.UUCP (11/09/88)
References: <1445@anasaz.UUCP> <772@mailrus.cc.umich.edu> Pursuant to the responses of Honeyman and Mitchell to the worries of Moore and Nagle: Robert Morris (rtm, Morris Minor, the little enchilada) spent two summers, several years ago, in our group at Bell Labs. During the first, his major accomplishment was a complete rewrite of the uucp and accompanying software. As Peter noted, his version was considerably more secure than previous versions, and some of his insights influenced HoneyDanBer uucp. We ran it on our machines for nearly a year thereafter, but dropped it in favor of HDB, mainly because HDB was rapidly gaining favor within AT&T, and Robert's version had no superiority sufficient for us to push it or keep it going in the absence of its author. I believe it was free of intentional trapdoors, unlike sendmail. In any event, the code is long gone except from backup tapes. The second summer, his major product was a streams implementation of TCP/IP that is still the basis of the Eighth/Ninth edition version of that module. It has since been reworked considerably, mainly to remove the vestiges of the socket mechanisms (he started from the Berkeley code), but again, we have never found any evidence of funny business that wasn't in what he started with. None of the work he did is in any product, and he didn't have any opportunity to tamper with the master source code-- that is really quite far away from Research. Dennis Ritchie
jfh@rpp386.Dallas.TX.US (John F. Haugh II) (11/13/88)
In article <8409@alice.UUCP> dmr@alice.UUCP writes: >None of the work he did is in any product, and he didn't have >any opportunity to tamper with the master source code-- >that is really quite far away from Research. It would be so nice if someone would undertake a security audit to insure that work other college students did, which *is* currently in production, doesn't contain any surprizes. Our friendly enchilada may not be the only prankster out there ... -- John F. Haugh II +----Make believe quote of the week---- VoiceNet: (214) 250-3311 Data: -6272 | Nancy Reagan on Artifical Trish: InterNet: jfh@rpp386.Dallas.TX.US | "Just say `No, Honey'" UucpNet : <backbone>!killer!rpp386!jfh +--------------------------------------
law@udel.EDU (Jeff Law) (11/14/88)
In article <8597@rpp386.Dallas.TX.US> jfh@rpp386.Dallas.TX.US (John F. Haugh II) writes: >It would be so nice if someone would undertake a security audit to >insure that work other college students did, which *is* currently >in production, doesn't contain any surprizes. >Our friendly enchilada may not be the only prankster out there ... I sincerely hope you are not making a general statement about college students. I take great pride in the fact that UDel allows some students to work at the system level, even in system administration, I happen to be one of those students and have taken slight offense to the recent messages that seem to knock college students as being like RTM. Not all of us write worms and think about how to break security in our spare time. -- Jeffrey A Law University of Delaware PHONE: (302)-451-8005, (302)-451-6339 ARPA: law@udel.EDU, UUCP: ...!<your_favorite_arpa_gateway>!udel.edu!law
alb@olden.uucp (Adam L. Buchsbaum) (11/14/88)
In article <8597@rpp386.Dallas.TX.US> jfh@rpp386.Dallas.TX.US (John F. Haugh II) writes: >It would be so nice if someone would undertake a security audit to >insure that work other college students did, which *is* currently >in production, doesn't contain any surprizes. Being just an ignorant graduate student myself, I can't figure out whether this implies that all college students are suspect, anyone who is not in college is not suspect, or both? Perhaps John F. Haugh II could clarify this for me?
ncoverby@ndsuvax.UUCP (Glen Overby) (11/14/88)
In article <8597@rpp386.Dallas.TX.US> jfh@rpp386.Dallas.TX.US (John F. Haugh II) writes: >It would be so nice if someone would undertake a security audit to >insure that work other college students did, which *is* currently >in production, doesn't contain any surprizes. Why are you worried only about college students? We're not the only ones in this world to commit crimes. This security audit should go for any software posted to the net or otherwise available (anon uucp, anon FTP, etc), as well as on a per-vendor basis (who's to say that ABC computer maker didn't botch something in their port?). What you're prescribing is a pretty major task. I'm sure that if anybody with Unix Sources is sufficently worried about contamination they will perform some sort of "audit" and report the bugs back to the Keeper of the Sorces. Glen Overby ncoverby@plains.nodak.edu uunet!ndsuvax!ncoverby ncoverby@ndsuvax (Bitnet)
m5@lynx.UUCP (Mike McNally) (11/15/88)
In article <8597@rpp386.Dallas.TX.US> jfh@rpp386.Dallas.TX.US (John F. Haugh II) writes: >It would be so nice if someone would undertake a security audit to >insure that work other college students did, which *is* currently >in production, doesn't contain any surprizes. Doesn't seem to me that a diploma forms some sort of delineation between wickedness and honesty. Any company that cares about security but only with respect to those parts of its software that were written by ``college students'' doesn't deserve serious consideration. Surely, the majority of electronic crimes are committed by employees of the victims. -- Mike McNally Lynx Real-Time Systems uucp: {voder,athsys}!lynx!m5 phone: 408 370 2233 Where equal mind and contest equal, go.
mbt@bridge2.3Com.Com (Brad Turner) (11/15/88)
In article <1777@ndsuvax.UUCP> ncoverby@ndsuvax.UUCP (Glen Overby) writes: > >In article <8597@rpp386.Dallas.TX.US> jfh@rpp386.Dallas.TX.US > (John F. Haugh II) writes: >>It would be so nice if someone would undertake a security audit to >>insure that work other college students did, which *is* currently >>in production, doesn't contain any surprizes. > >This security audit should go for any software posted to the net or >otherwise available (anon uucp, anon FTP, etc), as well as on a per-vendor >basis (who's to say that ABC computer maker didn't botch something in their >port?). > >Glen Overby >ncoverby@plains.nodak.edu uunet!ndsuvax!ncoverby >ncoverby@ndsuvax (Bitnet) (out of context of course and maybe not 100% exact) Frank Burns: I wouldn't be so paranoid if everybody wasn't watching me Let's all put on our paronia pants and do the little "somebody is out to to get me" dance! I'm not suggesting that security should be ignored, or that code should never be looked at after the first successful compile. It's just that I hate to see everybody join a posse/lynch mob because of ONE (not several, ONE) incident. So.... Face it unless you are willing to personally inspect every piece of source for every executable that's on your machine you're potentially compromising the security of your system. It's no good to "audit" the code, because how to you know the auditors can be trusted? Couldn't one dishonest auditor do more harm then than anybody else. Think about it, one central group in charge declaring what is and is not fit. A single point of failure! What it comes down to is the fact that systems these days are far to complicated for a single person to deal with. You have to trust your fellow human being at some point in time, otherwise everybody will be doomed to re-inventing the wheel. Do you personally have the time and expertise to code a boot load PROM? Then go from there to a monitor program to an assembley to a compiler to....vmunix...>rest-of-unix<....ad nausem. Then if you really want to get paranoid, how about the hardware? You're going to have to design your own CPU, mask it yourself, produce it yourself. Don't forget the glue logic, make your own 74xxx chips, resistors, caps etc... Where does it stop???? I give up lets disband society and all go live in woods where only the wildlife can get ya'. While I'm on my soapbox (and guilty)...Is it possible that we (the computing community) have wasted more time discussing/arguing about the worm than we spent discovering/disecting/erradicating/patching? My personal view I that the gossip fence has gotten overcrowded and we need to let the issue die and quit wasting net bandwidth rehashing every different flavor of the same argument/issue. Thanks for your time, have an OK day, and DON'T post a followup. -brad- -- v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v Brad Turner 1330 Ashleybrook Ln. (919) 768-2097 | I speak for myself 3Com Corp. Winston-Salem, NC 27103 mbt@bridge2 | NOT for my employer.
allbery@ncoast.UUCP (Brandon S. Allbery) (11/21/88)
As quoted from <13059@princeton.Princeton.EDU> by alb@olden.uucp (Adam L. Buchsbaum): +--------------- | In article <8597@rpp386.Dallas.TX.US> jfh@rpp386.Dallas.TX.US (John F. Haugh II) writes: | >It would be so nice if someone would undertake a security audit to | >insure that work other college students did, which *is* currently | >in production, doesn't contain any surprizes. | | Being just an ignorant graduate student myself, I can't figure out | whether this implies that all college students are suspect, anyone who | is not in college is not suspect, or both? Perhaps John F. Haugh II | could clarify this for me? +--------------- You misunderstand; he's not talking about RTMorris, he's talking about the kind of peoplke who wrote sendmail, and fingerd, and other programs that might have inadvertent security holes in them. And we've *all* done it at one time or another. An independent audit of "important" code is a good idea. ++Brandon -- Brandon S. Allbery, comp.sources.misc moderator and one admin of ncoast PA UN*X uunet!hal.cwru.edu!ncoast!allbery <PREFERRED!> ncoast!allbery@hal.cwru.edu allberyb@skybridge.sdi.cwru.edu <ALSO> allbery@uunet.uu.net comp.sources.misc is moving off ncoast -- please do NOT send submissions direct Send comp.sources.misc submissions to comp-sources-misc@<backbone>.
alb@notecnirp.Princeton.EDU (Adam L. Buchsbaum) (11/21/88)
In article <13153@ncoast.UUCP> allbery@ncoast.UUCP (Brandon S. Allbery) writes: > >You misunderstand; he's not talking about RTMorris, he's talking about the >kind of peoplke who wrote sendmail, and fingerd, and other programs that >might have inadvertent security holes in them. And we've *all* done it at >one time or another. An independent audit of "important" code is a good >idea. > What "kind" of peoplke [sic] write sendmail, fingerd, etc.? Perhaps it would just be easier, if we can identify "them," to put them in some sort of prison camp and be done with them.
bhoward@SOL.ENGIN.UMICH.EDU (11/22/88)
From louie.udel.edu!law Mon Nov 21 18:22:58 1988 From: law@louie.udel.edu Sender: tcp-ip-request@sri-nic.arpa To: tcp-ip@sri-nic.arpa Date: 13 Nov 88 19:24:53 GMT Organization: University of Delaware Message-Id: <5356@louie.udel.EDU> References: <8409@alice.UUCP>, <8597@rpp386.Dallas.TX.US> Subject: Re: rtm and uucp In article <8597@rpp386.Dallas.TX.US> jfh@rpp386.Dallas.TX.US (John F. Haugh II) writes: >It would be so nice if someone would undertake a security audit to >insure that work other college students did, which *is* currently >in production, doesn't contain any surprizes. >Our friendly enchilada may not be the only prankster out there ... I sincerely hope you are not making a general statement about college students. I take great pride in the fact that UDel allows some students to work at the system level, even in system administration, I happen to be one of those students and have taken slight offense to the recent messages that seem to knock college students as being like RTM. Not all of us write worms and think about how to break security in our spare time. -- Jeffrey A Law University of Delaware PHONE: (302)-451-8005, (302)-451-6339 ARPA: law@udel.EDU, UUCP: ...!<your_favorite_arpa_gateway>!udel.edu!law the computer aided engineering network (caen) at the university of michigan depends on a core of 23 fulltime professionals and a roughly equal number of "student" professionals to maintain our network of 500+ apollos, 50+ suns, 350 macs and maciis and assorted ibm machines. the distinction is mostly an artificial one, emphasizing a difference in pay, rather than responsibility or skill. these students are help maintain basic systems services, software development and (perhaps not surprisingly) systems security. they are routinely given the root password and determine with the rest of the systems group who else also requires its use. there has never been any question of their integrity. the suggestion that college students are any more unreliable as a group than, for example, professional systems staff, is unfounded. people respond as they are treated; if treated as responsible members of the computing community, in general, they will respond in kind. if constantly placed in an adversarial role, they become your nemesis. bruce howard