Submission for mod-protocols-tcp-ip

USENET Administrator (ucbvax!!usenet@decwrl.DEC.COM)
2 Apr 87 18:48:51 GMT

Path: jade!!jkh
From: (Jordan K. Hubbard)
Newsgroups: mod.protocols.tcp-ip
Subject: jkh annoys the net
Message-ID: <3011@jade.BERKELEY.EDU>
Date: 2 Apr 87 18:48:50 GMT
Sender: usenet@jade.BERKELEY.EDU
Reply-To: K. Hubbard)
Organization: University of California, Berkeley
Lines: 95

By now, many of you have heard of (or seen) the broadcast message I sent to
the net two days ago. I have since received 743 messages and have
replied to every one (either with a form letter, or more personally
when questions were asked). The intention behind this effort was to
show that I wasn't interested in doing what I did maliciously or in
hiding out afterwards and avoiding the repercussions. One of the
people who received my message was Dennis Perry, the Inspector General
of the ARPAnet (in the Pentagon), and he wasn't exactly pleased.
(I hear his Interleaf windows got scribbled on)

So now everyone is asking: "Who is this Jordan Hubbard, and why is he on my

I will attempt to explain.

I head a small group here at Berkeley called the "Distributed Unix Group".
What that essentially means is that I come up with Unix distribution software
for workstations on campus. Part of this job entails seeing where some of
the novice administrators we're creating will hang themselves, and hopefully
prevent them from doing so. Yesterday, I finally got around to looking
at the "broadcast" group in /etc/netgroup which was set to "(,,)". It
was obvious that this was set up for rwall to use, so I read the documentation
on "netgroup" and "rwall". A section of the netgroup man page said:


     Any of three fields can be empty, in which case it signifies
     a wild card. Thus

                universal (,,)

     defines a group to which everyone belongs. Field names that ...

Now "everyone" here is pretty ambiguous. Reading a bit further down, one
sees discussion on yellow-pages domains and might be led to believe that
"everyone" was everyone in your domain. I know that rwall uses point-to-point
RPC connections, so I didn't feel that this was what they meant, just that
it seemed to be the implication.

Reading the rwall man page turned up nothing about "broadcasts". It doesn't
even specify the communications method used. One might infer that rwall
did indeed use actual broadcast packets.

Failing to find anything that might suggest that rwall would do anything
nasty beyond the bounds of the current domain (or at least up to the IMP),
I tried it. I knew that rwall takes awhile to do its stuff, so I left
it running and went back to my office. I assumed that anyone who got my
message would let me know.. Boy, was I right about that!
After the first few mail messages arrived from Purdue and Utexas, I begin
to understand what was really going on and killed the rwall. I mean, how
often do you expect to run something on your machine and have people
from Wisconsin start getting the results of it on their screens?

All of this has raised some interesting points and problems.

1. Rwall will walk through your entire hosts file and blare at anyone
   and everyone if you use the (,,) wildcard group. Whether this is a bug
   or a feature, I don't know.

2. Since rwall is an RPC service, and RPC doesn't seem to give a damn
   who you are as long as you're root (which is trivial to be, on a work-
   station), I have to wonder what other RPC services are open holes. We've
   managed to do some interesting, unauthorized, things with the YP service
   here at Berkeley, I wonder what the implications of this are.

3. Having a group called "broadcast" in your netgroup file (which is how
   it comes from sun) is just begging for some novice admin (or operator
   with root) to use it in the mistaken belief that he/she is getting to
   all the users. I am really surprised (as are many others) that this has
   taken this long to happen.

4. Killing rwall is not going to solve the problem. Any fool can write
   rwall, and just about any fool can get root priviledge on a Sun workstation.
   It seems that the place to fix the problem is on the receiving ends. The
   only other alternative would be to tighten up all the IMP gateways to
   forward packets only from "trusted" hosts. I don't like that at all,
   from a standpoint of reduced convenience and productivity. Also, since
   many places are adding hosts at a phenominal rate (ourselves especially),
   it would be hard to keep such a database up to date. Many perfectly well-
   behaved people would suffer for the potential sins of a few.

I certainly don't intend to do this again, but I'm very curious as to
what will happen as a result. A lot of people got wall'd, and I would think
that they would be annoyed that their machine would let someone from the
opposite side of the continent do such a thing!

                                                Jordan Hubbard

                                        Computer Facilities & Communications.
                                        U.C. Berkeley

This archive was generated by hypermail 2.0b3 on Thu Mar 09 2000 - 14:37:47 GMT