Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!purdue!decwrl!ucbvax!asylum.sf.ca.us!romkey From: romkey@asylum.sf.ca.us (John Romkey) Newsgroups: comp.protocols.tcp-ip Subject: the worm and internet security Message-ID: <8907280211.AA09340@asylum.sf.ca.us> Date: 28 Jul 89 09:11:36 GMT Sender: daemon@ucbvax.BERKELEY.EDU Reply-To: romkey@asylum.sf.ca.us Organization: The Internet Lines: 69 I agree and I disagree. Mostly agree, and wish to agree more. Yeah, there're a lot of problems left and the government agencies are *not* being useful. I think that centralized administration of the Internet is absolutely the wrong thing, and that government administration would be a disaster. On the other hand, I'm scared of throwing open the whole Internet for security testing. The Internet Engineering Task Force met this week at Stanford. According to the NIC, an automated survey of the domain system returned more than 118,000 host names, and several major sites, such as Stanford and CMU, didn't return any data. Probably a better estimate of the number of hosts on the Internet is 150,000 [my opinion]. Right now I just don't think the system is good enough to be able to coordinate that many systems. I mean, we can't even get a lot of system maintainers to install the latest version of sendmail. I'm afraid that declaring next Tuesday open season on the Internet would cause utter chaos. I don't think this is a *good* state to be in, mind you. Just that this is where we are now, and I can't change the state of the world overnight. Maybe periodically declaring open season for a day would help the world grow up faster, but I afraid it might only hinder the growth and get the government involved more, and that, I really don't want. Some people are recognizing the need for testing. The IAB is pushing to get funding for the "Internet testbed" where they can have an Internet in miniature and do this kind of testing. Some statements from them today made that concern pretty clear. God, this paragraph sounds like politicalese. Anyway, I don't know if they'll really do it. I don't know if it'll really be effective. But they do seem to be pushing for it, and I'd feel a lot more comfortable about doing the testing in a smaller, more controlled environment. There's some senator who's trying to introduce legislation that would make it illegal to write a worm or virus. I think worms could actually be very interesting for doing certain kinds of distributed computation or network management. I also think more vendor responsibility would go a long way. Some of the problems that the worm took advantage of were well known. Sun and DEC shouldn't have released sendmail with debug mode left in. An awful lot of vendors pick up 4.x TCP, get it running on their system, and never really understand what's in it. I do not blame Berkeley for this. And I don't know how much security is enough. I don't tend to like much at all, myself. At some point to gain the security, you'll have to start making some really big changes. If you want real security, you'll end up not sending passwords and userid's in plain text over telnet and rlogin. You'll probably end up with link encryption, and even stronger authentication than what MIT is doing with Kerberos. And those are pretty big changes to the way things are done now. It's going to take a while, and still won't cope with the kind of hardcore password cracking you can attempt when you've got a 1Mbit/s channel into my computer instead of a 1200 baud dialin, and can finger @asylum to find out user names...it's not the network that's insecure there, it's just that the existence of the connection makes it easier to exploit (what didn't used to be) "weaknesses" in the existing operating system. These issues give me headaches. Yes, I wish we could do open testing all over the Internet. We could test security; we could also take pot shots with finger of death packets to find old releases of software that are running on systems and encourage their administrators to run up to date stuff. And more. I don't think it's practical in the current environment, but I do think it is important, regardless. - john