blackcat@neuro.usc.edu (01/17/90)
In article <4613@helios.ee.lbl.gov> Jef Poskanzer <jef@well.sf.ca.us> writes: >In the referenced message, burch@quik07.enet.dec.com (Ben Burch) wrote: >}I think here we have the beginnings of a war over the definition of the >}term hacker! ... personal definition of hacker appears here ... >This is your definition. It is even the original definition. It is *NOT* >the only definition. Please do not chase off the telecom hackers. You >clearly have a lot to learn from them. Whether one likes change or not, the definition of specific words tends to change with common usage over time. There can be little doubt that public opinion subsequent to the release of the movie "War Games" would tend to support the use of the term "hacker" to refer to people who try to obtain unauthorized access to computer systems or communication networks. I fail to see the point of beating this dead horse any further into oblivion. Now, on to more serious matters. Whatever preconceived notions you hold about people who seek unauthorized access to computer systems, I ask that you suspend judgement for a few moments and consider the following points: o Not every hacker attempts to gain access to systems with freely published passwords (as in the case of DEC's VAX fiasco wherein the os installation manuals contained the default passwords for the field service and system testing accounts), easily guessed passwords (exploiting the lax security practices of authorized users), spoofing authorized users to give their account/password in response to a bogus login message, rumaging through dp center trash, or by entering lengthly random trial and error sequences. Tiny children often exploit these vulnerabilities. o Some hackers gain access by discovering little known defects in system software (e.g. side effects of operating system calls); scavenging communication devices or buffers for the plain text account/password combinations; rewriting microcode for public access communication devices; running code under temporarily suspended privileged accounts while charging resources used to currently active nonprivileged accounts; passively monitoring rf emissions from computer terminals, phone lines, microwave towers, and satellite links to secure plain text identification, communication access points, and operating procedures; or by a wide variety of other means requiring some minimal amount of technical expertise. Teenagers exploit such vulnerabilities. o A very small number of hackers acquire red (crypto secure) data communications, break the codes, and steal national defense and commercial business secrets. College kids, some West Germans, and not a few government sponsored and freelance intelligence agents fall into this category. o One sorry bugger to date has introduced a virus that managed to utilize a little known defect in DEC and SUN system software ... and the rest of his case is currently on trial & making history. I would note that his effort (the INTERNET virus) meets each of the criteria discussed so far in this group for being a "hack" of the highest level ... one requiring a considerable degree of expertise ... and one (from personal examination of virus code) which was not readily understood by an experienced hacker. o Personally, I believe the current attempts to write most computer crime/abuse/antihacker statutes are misdirected. They proscribe behaviours that are commonly performed by system managers, site security personnel, vendor maintenance personnel, and many others. These statutes may give the public a false feeling of security and provide prosecutors with an additional tool to selectively harass someone they don't like. But none of these statutes address the fundamental weeknesses in existing data processing systems. The primitive security techniques these statutes attempt to support (plain text challenge and response with account names/passwords) were developed in the 1960's with little thought about persistent attack. Such statutes will accomplish little more than the ECPA (electronic communications privacy act) which forbids listening to cellular telephone communications. Such calls are broadcast at 30 KHz intervals in the band from 870-890 MHz. A quick scan of this broadcast band will indicate that few if any callers are aware that their voice can be received anywhere within the range of the repeater servicing their call. Simple plain text challenge and response offer little more security for computer systems. o I believe the law should be changed to match the anti gun statutes ... "USE A COMPUTER IN THE COMMISSION OF A FELONY: GO TO JAIL" ... crimes require criminal intent ... the government should be forced to prove that intent ... if unintended damage is caused, some civil action to recover the cleanup costs may be appropriate ... and, if the government can prove intent, as in the case of a spy with full documentation of a continuing pattern of abuses, then find a tall tree and hang'em high ... but never sidestep the issue of intent ... it may not be easy to prove ... but our entire criminal legal system is built on a foundation of intent ... throw that away and no citizen (however blameless) will be safe from persecution. o In any case, I believe the new generation hackers (intruders) may be better served by being invited by the old generation hackers (obscure code craftsmen) to participate in this discussion group and attempt to become interested in more productive activities -- (e.g. fixing public domain INGRES to run on current generation unix systems, updating the old X10 server for the ibm/pc to work with X11R4, etc). I would offer them lists of anonymous ftp/xfer systems containing millions of lines of code from small programs to large systems that would meet their need to explore (without the very time consuming and wasteful process of breaking uninvited into personal, commercial, and government systems), be challenged, and perhaps even contribute to the wealth of good hacks available to the public. o No one should be insulted ... or otherwise baited or goaded into breaking into systems as a sign of rebellion against established authorities like the people who brow beat the bored and restless children who have written into this group in an attempt to make contact with something more stimulating than an assignment to write a "C" program to solve an arbitrary combinatorics problem. > Obligatory hacking report: I am trying to fix a generic security problem involving the triggering of data terminal answerback buffers by whatever program elects to send a ^W in the course of displaying a message. The specific problem I have encountered is a public access computer terminal room where one of our students entered "^Y@dra0:[name]x.bat" into the answerback buffer, waited for a privileged user to access that terminal, sent email containing a ^W to that privileged user, the privileged user read the email, triggered the answerback buffer, and promptly changed the protection on the user authorization file and the user authorization program to rwed access for all users on the system. The student user ran the user authorization program, reset the password on a dormant privileged account, logged out, logged back in as the dormant privileged user, reset the protection on the user authorization file and the user authorization program, read and copied mail between numerous high level administrative users, introduced numerous trapdoors to allow reentry to our system, and logged out with nary a trace (some details of the audit trails that were successfully used to secure a full confession have been left out) of her presence. This is a purplexing problem ... why do manufacturers still put an answerback buffer in computer terminals ... such buffers should have disappeared with the Model 35 TTY. Currently, short of periodically sending ^W to all of our inactive terminals (and gobbling up the response), there is no evident way to prevent such abuse. Suggestions anyone? FINAL COMMENT: The INTERNET virus should be treated as a product liability question. In my opinion, DEC and SUN should pay the cost of the cleanup effort. If it were not for latent defects in the products distributed by these two manufacturers (which have been subsequently repaired by emergency hacks and official patches), the relatively innocuous INTERNET virus could not have spread so far so rapidly. The show trial of some poor student who happened to test for the presence of this defect and found he had created a an extremely large chain reaction of systems passing this virus from one to another ... is only detracting from the central fact -- today's vendors are incapable of producing computer products without significant security (and for that mater day to day operational) defects. These defects regularly result in unintended system crashes, destruction of data, communications outages, denial of service, etc. If we are not going to put a very large number of unwitting vendor software development people, system managers, users, and maintenance people in jail for unintentionally triggering such disruptions ... then we are going to have to find a better way to secure systems ... some way that is better than the Morris show trial.
peter@sugar.hackercorp.com (Peter da Silva) (01/17/90)
First of all, I agree with blackcat that the ECPA is seriously deficient in many areas, particularly in the quixotic attempt to legislate privacy for cellular phones. One thing that I found amusing in his article, though, was the following: > o One sorry bugger to date has introduced a virus that managed to > utilize a little known defect in DEC and SUN system software ... > and the rest of his case is currently on trial & making history. > I would note that his effort (the INTERNET virus) meets each of > the criteria discussed so far in this group for being a "hack" > of the highest level ... one requiring a considerable degree of > expertise ... and one (from personal examination of virus code) > which was not readily understood by an experienced hacker. Well first of all it's a worm not a virus. A virus is a passive partner in transmission between systems. But that's a nitpick. More importantly, analysis of the Internet Worm has been widely disseminated, and this analysis shows that it's not the work of a particularly skilled programmer. One knowledgable in the details of the systems involved, perhaps, but clumsy and given to very poor coding practices. If that's a "hack of the highest order" then it's a sad commentary on this new generation of hackers. > o In any case, I believe the new generation hackers [ be encouraged to engage in productive work, such as updating old PD and freeware versions of INGRES and X...] Most of these folks are not competant to do this. They've a lot of patience, but little technical skill. As you said, RTM's buggy little program was a "hack" of the highest order. What could low-order hackers do? I can understand their frustration. As little as ten years ago there was a whole range of interesting programs that had yet to be ported to personal computers. Today the "market" for PD terminal programs, editors, and the like is glutted. There's no place for newbies to prove themselves, other than in destructive activity. How many teenagers even appreciate the value of an X server when they don't have anywhere to run the clients? Newer and less popular machines like the Amiga and Atari ST still have room for creative hacking: look at MIDInet on the ST, or all the PD device drivers on the Amiga. But older machines like the Mac and the PC are either unable to support stuff like this, or again the market is glutted. And it's the older machines that the vast majority of would-be hackers have access to. > Obligatory hacking report: I am trying to fix a generic security problem > involving the triggering of data terminal answerback buffers by whatever > program elects to send a ^W in the course of displaying a message. You're lucky. There are a lot of terminals out there that permit more extensive programming. There's one guy who has a file that when catted takes over the terminal and pretends to delete all the user's files. In an academic environment this could be deadly. > FINAL COMMENT: The INTERNET virus should be treated as a product liability > question. In my opinion, DEC and SUN should pay the cost of the cleanup > effort... If they indeed ignored bug reports, yes. But that will come out in the trial. The Internet is deliberately a moderately low-security environment, and it will be subject to similar pranks in the future so long as people don't have any resposibility for their actions. I'm not particularly upset with RTM, but then we weren't affected, but I think that if he gets off lightly it'll open the floodgates for more disruption: either through pranks or ill-advised security measures that reduce the usability of the Internet. -- Peter "Have you hugged your wolf today" da Silva <peter@sugar.hackercorp.com> `-_-' 'U` "I haven't lost my mind, it's backed up on tape somewhere"
bob@MorningStar.Com (Bob Sutterfield) (01/17/90)
In article <22359@usc.edu> blackcat@neuro.usc.edu writes:
One sorry bugger to date has introduced a virus that managed to
utilize a little known defect in DEC and SUN system software ...
The defect is present in all such software derived from the same BSD
sources. DEC and Sun had nothing more to do with it than any other
manufacturer shipping their own versions of that software, except that
the worm's perpetrator had access to DEC and Sun hardware. Had {s}he
access to other hardware, likely other brands of machines would have
fallen victim as well.
...I would note that his effort (the INTERNET virus) meets each of
the criteria discussed so far in this group for being a "hack" of
the highest level ... one requiring a considerable degree of
expertise ... and one (from personal examination of virus code)
which was not readily understood by an experienced hacker.
(How do you know that it's "his" effort and not "her" effort?)
From other accounts, the worm was a poor-quality piece of code. It
was inelegantly written and didn't take advantage of several pieces of
information that were available to it, that would have made it much
more prolific. It used inefficient algorithms in several spots, and
contained bugs that rendered important parts of its apparently-
intended functions impotent. The perpetrator showed some rudimentary
awareness of some particular features of the systems it attacked, but
not an astute understanding of computer science nor an overall
knowledge of the systems it attacked.
In other words, yes, a "hack" of the highest level, not a quality
piece of work that I would have been proud to put my name on. The
attacker should *not* be lauded for any expertise displayed.
FINAL COMMENT: The INTERNET virus should be treated as a product
liability question. In my opinion, DEC and SUN should pay the cost
of the cleanup effort. If it were not for latent defects in the
products distributed by these two manufacturers (which have been
subsequently repaired by emergency hacks and official patches), the
relatively innocuous INTERNET virus could not have spread so far so
rapidly.
As noted above, other manufacturers' products contained the same
holes, and some still might. No particular ones should bear any
particular liability beyond that of any others, just because their
machines were the ones that happened to be available for the
attacker's development work.
...today's vendors are incapable of producing computer products
without significant security (and for that mater day to day
operational) defects... we are going to have to find a better way
to secure systems ... than the Morris show trial.
Agreed. Such efforts are underway, most notably the Computer
Emergency Response Team. Channels are being put in place between
Internet workers and those responsible for host software, or at least
those responsible parties who are interested in being made aware of
the problems with their software.
Obligatory hack story: a late computer graphics production company had
designed and built their own custom fast 32-bit Unibus frame buffers,
with eight bits each for red, green, and blue and eight bits for
"coverage", an antialiasing technique (read some papers from probably
ten years ago by Frank Crow and Charles Csuri). Some Sun-1
workstations were purchased as artistic workbenches, and needed the
capability to preview images using the same rendering software as was
running on the larger machines. At the time, the only commercially
available frame buffers that were even vaguely appropriate provided
only eight bits per pixel.
So I bought three video boards (all the poor desktop Sun could hold in
its little Multibus without overheating, and even that was iffy) and
took red from one, green from another, and blue from the third. The
boards were mapped into Multibus address space, and coverage was
implemented in a big malloc()'d hunk of the Sun's own scarce core. A
collection of twenty-line macros implemented my emulation of the
system call interface to the Unibus device drivers, and the rendering
software (once realigned for proper byte-ordering non-assumptions)
never knew the difference. It certainly didn't know that it was
talking to three separate devices plus an in-core buffer.
Once scaled for host CPU speed, my hack compared well with the
performance of the custom logic. Management was pleased, but the
boards' designer wasn't exactly ecstatic at me :-)
bob@MorningStar.Com (Bob Sutterfield) (01/18/90)
In article <4948@sugar.hackercorp.com> peter@sugar.hackercorp.com (Peter da Silva) writes:
The Internet is deliberately a moderately low-security environment,
I'd go even further: The Internet is deliberately a no-security
environment. It's a wire. It provides connectivity, not policy.
Responsibility and authority over individual machines is reserved by
the owners of those machines, as well it should.
Of course, there are policies about what sort of traffic is
appropriate to cause to flow over the network, and there are de-facto
operations policies (don't flood the wire!), but individual machines
are the responsibilities of their owners.
I'm not particularly upset with RTM,
Nobody should be upset with anybody - because nobody knows who's
guilty!
...I think that if he
or she!
gets off lightly it'll open the floodgates for more disruption:
either through pranks or ill-advised security measures that reduce
the usability of the Internet.
Agreed. The worst possible consequence of the Internet Worm would be
if a bunch of congressmen's wives (or similar unknowledgeable
busybodies) decided to respond to sensationalist press reports by
imposing additional layers of policy on the network itself. The
single most important attribute of the Internet is universal
availability and connectivity between all the machines that are
connected to it. When that is compromised, there might as well not be
a network. "The price of freedom is eternal vigilance."
gnu@hoptoad.uucp (John Gilmore) (01/19/90)
> ...I think that if he [Robert Morris] > gets off lightly it'll open the floodgates for more disruption: > either through pranks or ill-advised security measures that reduce > the usability of the Internet. Perhaps if Mr. Morris "gets off lightly" (e.g. doesn't get thrown into involuntary servitude or enforced confinement) then more people will have the guts to test Internet security, report problems where they find them, and fix them in appropriate ways. On the other hand, if Mr. Morris loses his freedom, a lot of security problems will go unreported, since who wants to go to jail for telling a stranger that his system is insecure? Best to just keep it to yourself or tell your cracker friends. If the Internet community doesn't provide itself with "well-advised" security measures, what choice does it provide to ignorant oversight agencies but "ill-advised" security measures? Congress and even DARPA are not experts at computer security -- we are. Their jobs are to clean up our act in their own hamhanded way if we don't clean it up for ourselves. But our advice and our actions are too often "security through obscurity" and "just make it illegal so it will go away". Mr. Morris's worm program is 95% of the way to an excellent security testing program -- a watchdog for your network -- that will tell YOU, the system administrator, about any known holes in your net, long before a cracker discovers them. For this he is put on trial and all copies of the source code are locked away. Suuuuuure we believe in computer security and in technical solutions to technical problems. Don't complain when the bureaucrats make your life miserable, you brought it on yourself. -- John Gilmore {sun,pacbell,uunet,pyramid}!hoptoad!gnu gnu@toad.com Just say *yes* to drugs. Say "no" to undeclared wars on sovereign countries.
blackcat@neuro.usc.edu (01/20/90)
In article <9738@hoptoad.uucp> gnu@hoptoad.uucp (John Gilmore) writes: >On the other hand, if Mr. Morris loses his freedom, a lot of security >problems will go unreported, since who wants to go to jail for telling >a stranger that his system is insecure? Best to just keep it to yourself >or tell your cracker friends. > BTW ... which employee or contractor is going to be prosecuted under the same statutes for introducing the software program that exploited a bug in the AT&T long distance switching system and fooled most switches into thinking all of their circuits were busy? This "worm/virus/germ" seems to have completely unintended effects. However, it did disrupt a very large communications network, denying service to millions of customers, and costing untold millions of dollars in direct and indirect damages. Certainly no one was "authorized" to cause this disruption. So, who is going to be prosecuted, fined, and put in jail for this software fiasco? Let's find another poor bugger who apparently had the technical knowledge to cause a potent software disruption is a network that is undeniably more vital to public health, business interests, and national security than the measly little problems caused by the INTERNET virus. bc p.s. You can read the GAO report on the INTERNET virus if you need a much more lengthly reason for calling this code a virus. Fundamentally, they decided on this nomenclature because it was already in most common use.
cygnus@vax1.acs.udel.EDU (Marc Cygnus) (01/20/90)
(setq hack-talk nil) In article <9738@hoptoad.uucp> gnu@hoptoad.uucp (John Gilmore) writes: >> ...I think that if he [Robert Morris] >> gets off lightly it'll open the floodgates... <etc. deleted> > >Perhaps if Mr. Morris "gets off lightly" (e.g. doesn't get thrown >into involuntary servitude or enforced confinement) then more people >will have the guts to test Internet security, report problems where >they find them, and fix them in appropriate ways. > >On the other hand, if Mr. Morris loses his freedom, a lot of security >problems will go unreported, since who wants to go to jail for telling >a stranger that his system is insecure? Best to just keep it to yourself ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ hoooOOOOwaitaminute! There's a BIGBIGBIG difference between `telling a stranger that his system is insecure' (communications with sysadmins, management, security updates, etc) and `telling...' by *demonstrating* to the poor stranger by penetrating said stranger's system(s) and driving things through the roof! > <etc. deleted> > >Mr. Morris's worm program is 95% of the way to an excellent security ^^^^^^^^^^^^^^^^^ yeah right. except that it was *ahem* `tested' on a system that was NOT isolated from the intrenet, and OOPS! It Got Out. >testing program -- a watchdog for your network -- that will tell YOU, >the system administrator, about any known holes in your net, long >before a cracker discovers them. For this he is put on trial and all yeah right, again. it'll tell YOU, the sysadmin, by tying up completely valuable resources like networks and cpu time. that's what happened. i'm not disagreeing that the idea of a clean 'scavenger' programme that could check for holes in a net is bad, i'm disagreeing that the intrenet worm was NOT the approach to use (and i imagine it wasn't intended so). >copies of the source code are locked away. Suuuuuure we believe in not so, john. every single site that got infected got, free of charge, a complete and operational version of the programme. oh, and people who *need* to know (sysadmins, etc) about the techniques the worm used can *get* the information from certain security organisations. it _really_ wasn't anything breathtakingly brilliant. but effective? yes. if you have access to kernel and utility source code, the only additional info you need to understand the worm is public (_Tour_of_the_Worm_, for instance, and also the MIT paper). > <etc. deleted> >-- >John Gilmore {sun,pacbell,uunet,pyramid}!hoptoad!gnu gnu@toad.com >Just say *yes* to drugs. Say "no" to undeclared wars on sovereign countries. (setq hack-talk t) i'm taking a break from hacking a device driver for a Tek4129 (on a Sun4/60), so image data can be directed to the Tek (thru a 38.4kbaud link to a cisco box) and printed out on an HP colour inkjet (our only form of colour hard- copy at the moment). ugly, but if it works, hey! -marcus- oh, yeah. i'm also `hacking' :-) the primary circuit capacitor for the exact device mentioned below. | | V -- ----------------------------------------------------------------------------- "Opinions expressed above are not necessarily those of anyone in particular." `...but do YOU own a | ARPA: cygnus@vax1.acs.udel.edu homemade 6ft Tesla?' | UUCP: {yourpick}!cfg!udel!udccvax1!cygnus
jxxl@huxley (John Locke) (01/20/90)
In article <5527@udccvax1.acs.udel.EDU> Marc Cygnus writes: > hoooOOOOwaitaminute! There's a BIGBIGBIG difference... What is this supposed to be--credible English or an excerpt from Pee Wee Herman's autobiography? > yeah right, again. it'll tell YOU, the sysadmin, by tying up completely > valuable resources like networks and cpu time. that's what happened. Am I the only sysadm who thought the entertainment from this "worm" more than compensated for any time lost or inconvenience? I'm amazed (and further entertained) by the high level of moral priggishness applied to this phenomenal event. On the one hand, everyone seems to agree that nothing like this has ever happened before. On the other hand, we have people whining about losing a couple of days work. Well, partee animals, do me a favor and go back to sleep. (Or entertain me further.) > it _really_ wasn't anything breathtakingly brilliant. Sour grapes. It was a tour de force.