Path: utzoo!utgpu!jarvis.csri.toronto.edu!rutgers!usc!cs.utexas.edu!uunet!mcvax!kth!draken!tut!santra!jkp From: jkp@cs.HUT.FI (Jyrki Kuoppala) Newsgroups: comp.protocols.tcp-ip Subject: Re: the worm and internet security Message-ID: <24248@santra.UUCP> Date: 6 Aug 89 04:35:36 GMT References: <8907280211.AA09340@asylum.sf.ca.us> Sender: news@santra.UUCP Reply-To: jkp@cs.HUT.FI (Jyrki Kuoppala) Organization: Helsinki University of Technology, Finland Lines: 275 In-reply-to: romkey@asylum.sf.ca.us (John Romkey) In article <8907280211.AA09340@asylum.sf.ca.us>, romkey@asylum (John Romkey) writes: >On the other hand, I'm scared of throwing open the whole Internet for >security testing. The Internet Engineering Task Force met this week at >Stanford. According to the NIC, an automated survey of the domain >system returned more than 118,000 host names, and several major sites, >such as Stanford and CMU, didn't return any data. Probably a better >estimate of the number of hosts on the Internet is 150,000 [my >opinion]. Right now I just don't think the system is good enough to >be able to coordinate that many systems. I mean, we can't even get a >lot of system maintainers to install the latest version of sendmail. >I'm afraid that declaring next Tuesday open season on the Internet >would cause utter chaos. It's been proposed that security problems like those what the worm used, whenever found, should first be published on a restricted-access mailing list as soon as possible. This mailing list should have all major Un*x vendors on it, so that they can rush bug-fixes to their clients as soon as possible. Then, with for example a three-month or so delay, this mailing list would be relayed to a Usenet newsgroup. I think this approach would work quite well. The knowledge that the bug will be public knowledge in some months should make the vendors' support much better. Perhaps then we wouldn't be seeing all these various sendmail, ftpd, rcp, rdist, rwall/wall, fingerd, nfs, rexd, lpr, ptrace, uucp, yp and who knows what else (they're too numerous to remember already!) security bugs months or even years they've come at least partly public knowledge. The Berkeley ucb-fixes list already does a very good job at this - but apparently it isn't enough, as many vendors seem to neglect the security fixes which Berkeley puts out. For example, how many have fixed the one with rshd and rlogind accepting connections from ports under 512 ? It seems that someone has to make public the information how to use the bug before the vendors believe it. Also, some way should be found to make vendors to make the out-of-the-box system even somewhat acceptable. Especially Sun loses badly on this. I think they still have + in their /etc/hosts.equiv. They have extremely bad manners in other things, too, like that /etc/utmp is world-writable. And even after the rwalld / wall bug was published, apparently they STILL don't plan to change that. They're practically asking for trouble. Perhaps there should be some kind of `security rating' given to an operating system. I dont mean ratings like C2 or things like that; just an estimate on how many known security bugs a system has and if it is suitable for use in the internet off-the-box or if it needs a few weeks of debugging with a tight comb to prevent J. Random User on the internet from getting root access on it in five minutes by reading the tips from `The History of BSD Unix'. >Some people are recognizing the need for testing. The IAB is pushing >to get funding for the "Internet testbed" where they can have an >Internet in miniature and do this kind of testing. Some statements >from them today made that concern pretty clear. God, this paragraph >sounds like politicalese. Anyway, I don't know if they'll really do >it. I don't know if it'll really be effective. But they do seem to be >pushing for it, and I'd feel a lot more comfortable about doing the >testing in a smaller, more controlled environment. Sounds good. >There's some senator who's trying to introduce legislation that would >make it illegal to write a worm or virus. I think worms could actually >be very interesting for doing certain kinds of distributed computation >or network management. That kind of legislation sounds extremely silly and dangerous to me. Computers are nothing but a tool. Why should they be treated any differently from any other tools in legislation ? If a person deliberately causes harm to others - like destroys all data from a police computer - certainly there already are laws which can be used against this person. Of course, some laws about official documents may need to be changed to cover documents stored on computer systems, but the need for a separate `computer fraud law' is not clear to me. Actually, I find the idea of a `computer fraud law' quite disturbing. If it is made criminal to for example feed wrong information to a computer, it leads to great reduction of the individual's basic rights. As an example, I'm appending the State of Wisconsin Computer Fraud Law to the end of this message (as a part of a law is hardly any use). As I have little experience reading legalese, perhaps I have misunderstood the law, but to me it seems that there's no mention about to which purpose the computer system in question is used. Also, the headings like `(3) OFFENSES AGAINST COMPUTERS, COMPUTER EQUIPMENT OR SUPPLIES.' seem quite strange to me - I thought the laws were there to protect people, not machines (the heading sounds like those you see in scifi-novels describing societies ruled by computers ;-). Of course, I can't be sure if the document is real as I've gotten it via the computer networks, so please tell me if it isn't. >These issues give me headaches. Yes, I wish we could do open testing >all over the Internet. We could test security; we could also take pot >shots with finger of death packets to find old releases of software >that are running on systems and encourage their administrators to run >up to date stuff. And more. I don't think it's practical in the >current environment, but I do think it is important, regardless. > - john Perhaps there should even be `an internet requirement' of suffucient security; that is, if a site runs software with all the five-year-old network bugs unfixed, they're not allowed to be an the internet. That way, good will in the net is maintained as random pranksters don't get access to machines they don't have official accounts to nearly as easily. Please note that this shouldn't be extended to administrative policies, just the security bugs (much like the RFC requirements). Ah well, just an idea. //Jyrki ---------------------------------------------------------------------- -- Computer Law - State of Wisconsin Statute -- Chapter 293, Laws of 1981 943.70 Computer crimes. (1) DEFINITIONS. In this section: (a) "Computer" means an electronic device that performs logical, arithmetic and memory functions by manipulating electronic or magnetic impulses, and includes all input, output, processing, storage, computer software and communication facilities that are connected or related to a computer in a computer system or computer network. (b) "Computer network" means the interconnection of communication lines with a computer through remote terminals or a complex consisting of 2 or more interconnected computers. (c) "Computer program" means an ordered set of instructions or statements that, when executed by a computer, causes the computer to process data. (d) "Computer software" means a set of computer programs, procedures or associated documentation used in the operation of a computer system. (dm) "Computer supplies" means punchcards, paper tape, magnetic tape, disk packs, diskettes and computer output, including paper and microform. (e) "Computer system" means a set of related computer equipment, hardware or software. (f) "Data" means a representation of information, knowledge, facts, concepts or instructions that has been prepared or is being prepared in a formalized manner and has been processed, is being processed or is intended to be processed in a computer system or computer network. Data may be in any form including computer printouts, magnetic storage media, punched cards and as stored in the memory of the computer. Data are property. (g) "Financial instrument" includes any check, draft, warrant, money order, note, certificate of deposit, letter of credit, bill of exchange, credit or credit card, transaction authorization mechanism, marketable security and any computer representation of them. (h) "Property" means anything of value, including but not limited to financial instruments, information, electronically produced data, computer software and computer programs. (i) "Supporting documentation" means all documentation used in the computer system in the construction, clarification, implementation, use or modification of the software or data. (2) OFFENSES AGAINST COMPUTER DATA AND PROGRAMS. (a) Whoever willfully, knowingly and without authorization does any of the following may be penalized as provided in par. (b): 1. Modifies data, computer programs or supporting documentation. 2. Destroys data, computer programs or supporting documentation. 3. Accesses data, computer programs or supporting documentation. 4. Takes possession of data, computer programs or supporting documentation. 5. Copies data, computer programs or supporting documentation. 6. Discloses restricted access codes or other restricted access information to unauthorized person. (b) Whoever violates this subsection is guilty of: 1. A Class A misdemeanor unless subd. 2, 3 or 4 applies. 2. A Class E felony if the offense is committed to defraud or to obtain property. 3. A Class D felony if the damage is greater than $2,500 or if it causes an interruption or impairment of governmental operations or public communication, of transportation or of a supply of water, gas or other public service. 4. A Class C felony if the offense creates a situation of unreasonable risk and high probability of death or great bodily harm to another. (3) OFFENSES AGAINST COMPUTERS, COMPUTER EQUIPMENT OR SUPPLIES. (a) Whoever willingly, knowingly and without authorization does any of the following may be penalized as provided in par. (b): 1. Modifies computer equipment or supplies that are used or intended to be used in a computer, computer system or computer network. 2. Destroys, uses, takes or damages a computer, computer system, computer, network or equipment or supplies used or intended to be used in a computer, computer system, or computer network. (b) Whoever violates this subsection is guilty of: 1. A Class A misdemeanor unless sub. 2,3 or 4 applies. 2. A Class E felony if the offense is committed to defraud or obtain property. 3. A Class D felony if the damage to the computer, computer system, computer network, equipment or supplies is greater than $2,500. 4. A Class C felony if the offense creates a situation of unreasonable risk and high probability of death or great bodily harm to another. -- Penalties for Infractions -- 939.50(3) Penalties for felonies are as follows: (a) For a Class A felony, life imprisonment. (b) For a Class B felony, imprisonment not to exceed 20 years. (c) For a Class C felony, a fine not to exceed $10,000 or imprisonment not to exceed 10 year, or both. (d) For a Class D felony, a fine not to exceed $10,000 or imprisonment not to exceed 5 year, or both. (e) For a Class E felony, a fine not to exceed $10,000 or imprisonment not to exceed 2 year, or both. 939.51(3) Penalties for misdemeanors are as follows: (a) For a Class A misdemeanor, a fine not to exceed $10,000 or imprisonment not to exceed 9 months, or both. (b) For a Class B misdemeanor, a fine not to exceed $1,000 or imprisonment not to exceed 90 days, or both. (c) For a Class C misdemeanor, a fine not to exceed $500 or imprisonment not to exceed 30 days, or both. -- Jyrki Kuoppala Helsinki University of Technology, Finland. Internet : jkp@cs.hut.fi [128.214.3.119] BITNET : jkp@fingate.bitnet Gravity is a myth, the Earth sucks!