syngen@ux.rfhsm.lon.ac.uk (Syngen Brown) (11/09/88)
[This is a reconstruction of a message that went AWOL yesterday] A few people on the list have pointed out that the off-the-shelf sun distribution includes sendmail with the debug option. Unfortunately, an examination of other Berkeley systems and distribution tapes suggests that the debug option is the prevalent case, rather than the exception. Systems I checked: HLH (Orion) OTS v.2 SUN v.4 Gould UTX32 v.2 Original 4.2BSD from UCB Ultrix 2.0 Of the above, only Ultrix 2.0 had sendmail compiled without debug, and if I remember correctly, Ultrix 1.2 sendmail was compiled *with* debug. I'm sure that a quick look at some other BSD derived systems would reveal a similar pattern. Although the Internet worm attacked only Sun and Vax systems, other systems would have been threatened if suitable binaries were propagated. When the inevitable attacks on campus networks get under way, I doubt that the attackers will be so conservative in their choice of targets. -Syngen ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Philosophical problem: A colony of monkeys are incarcerated in the basement of some major Unix site. Each monkey is provided with an ASR37 Teletype (mainly for sound effects). Will changing the root password have any effect on the probability of the system being compromised? [set by Roger Irrelevant]. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++