Re: Crackers and Worms


Marcus J. Ranum (adm!nlm-mcs!vax2.nlm.nih.gov!mjr@nyu.edu)
10 Nov 88 16:21:19 GMT


In article <44440@beno.seismo.CSS.GOV> rick@seismo.CSS.GOV (Rick Adams) writes:

>The fact that you can run an arbitrary program is such an obvious
>security hole that I can't believe anyone wouldn't report it if they knew.

I think that part of the problem is that the kind of people (like I
used to be) who actively ferret out such information collect it in
their bag of tricks and DON'T share it. A good recent example is all
the frustrated posters with the "well, what the #@!!@#!@ is the stupid
bug with the #!/bin/sh" and the countless deliberately vague answers.

It also doesn't help that there isn't a unified stance on the net as to
whether it is evil to post a security hole to force vendors, etc, to fix
things, or whether it is better to waste countless hours calling tech
support hotlines and being told "it'll be fixed in the next release".
Both going through "proper channels" and "screaming fire" are less than
optimal, but I think this attack indicates that the current approach
doesn't work too well either.

One approach would be for an organization to step forward and offer to
be a clearinghouse for security-related information, distributing it to
a list of KNOWN responsible individuals. (which is roughly what HAS
happened, this time). I don't know how such a set-up could be arranged,
and there is still the problem of getting the people with the secrets
to share them.

I had HEARD of a sendmail bug, and knew it had something to do with
DEBUG mode - but I didn't know the details, since my sources would all
start giggling and getting shy when I asked. We need some SAFE way to
clear such information so that fixes can be issued. I used to think
that it was "job security" and all a part of trying to be a "guru", but
working as a system administrator and legitimately "having root" took
all the fun out of it. In fact, the worst punishment I could imagine
for someone like the wormer would be to make them professionally
responsible for a large campus network :-)

--mjr();
"Strange women lying in ponds, distributing swords is no basis for a system
of government. Supreme executive power derives from a mandate from the masses,
not from some farsical aquatic ceremony."



This archive was generated by hypermail 2.0b3 on Thu Mar 09 2000 - 14:44:30 GMT