Path: utzoo!mnetor!tmsoft!torsqnt!news-server.csri.toronto.edu!bonnie.concordia.ca!uunet!mcsun!ukc!dcl-cs!aber-cs!athene!pcg From: pcg@cs.aber.ac.uk (Piercarlo Grandi) Newsgroups: comp.unix.sysv386 Subject: Re: SECURITY BUG IN INTERACTIVE UNIX SYSV386 Message-ID: Date: 16 Feb 91 21:02:31 GMT References: <1991Feb12.085747.8468@specialix.co.uk> <27B93F44.5606@tct.uucp> <6027@unix386.Convergent.COM> Sender: pcg@aber-cs.UUCP Organization: Coleg Prifysgol Cymru Lines: 73 Nntp-Posting-Host: teachk In-reply-to: pax@megasys.com's message of 15 Feb 91 12:25:34 GMT On 15 Feb 91 12:25:34 GMT, pax@megasys.com (Garry M. Paxinos) said: pax> In article <6027@unix386.Convergent.COM> pax> mburg@unix386.Convergent.COM (Mike Burg) writes: mburg> From a view of a person who has work for various Unix system mburg> houses - you can't really blame ISC, ESIX, or any other vendors mburg> that current has the bug in it's release. They have been aware of the problem for probably well over a year. I have very little doubt it is a delivberate trojan horse, for the benefit of those "in the know". The hole was well known, nothing has been done about it for a long time. AT&T says they corrected the bug in their 3.2.1 update tape; I thnk that all the major AT&T licensees probably received it not much less than 2 years ago. Now think of this: there are literally dozens (if not hundreds!) of thousands of 386 system with this trojan horse sold and installed in civilian and military Government offices, many installed under the premise that C2 security was what the Government needed for better protecting sensitive (but not classified, thank goodness) data. All these systems will not be updated overnight; most will keep the trojan horse for their entire useful life. pax> I agree completely on the above, with systems as complex as a full pax> Unix operating system it is quite likely that some things will slip pax> thru. This is simply unbelievable. It did not slip thru; all we have read points out that all vendors knew it was there, and left it in by way of a conscious decision. All vendors except AT&T, SCO and Dell, that is. pax> [ ... ] Unfortunately, as they seem to be able to come up with a pax> fix by next Friday (the 22nd), the later appears to be the case... AT&T say (informally, in this newsgroup) that they corrected it in 3.2.1, and sent the corrections in its update tape to its licensees. SCO and and Dell installed the corrections. Probably ISC and the others have now decided to just put those corrections in. Incidentally, note that Dell's 3.2 product is a derivative of ISC's, yet Dell's does not have the trojan horse and ISC has it. ISC and many others boasts of the stringent and very expensive QA process they run on their products, the same process that took two years after a public fix had been posted to these screens to find the inode bug (and some other System V vendors still haven't discovered it!). IMNHO it is some system vendors (and ISC are bettert han most!) who are the worst hackers; apart from engaging in mass denial of service attacks on their customers called 'releases' :-), which usually cost much more lost time than the Internet Worm, they put (or leave) trojan horses in their systems, including those advertised as C2 more "secure" and sold to the Government as such. If you want to read something really hair raising about the potential for vendor hackery, read Ritchie's musing on what can be done with virusing 'cc' in his Turing award lecture in CACM. The military have independent source verification teams and other very expensive ways of protecting themselves against supplier hackery; we only have the GPL :-). Finally, it is easy to think that if the author of this incident were a graduate student or a random chap somewhere he would by now probably have been arrested by the Secret Service, his machines impounded, and would be facing the probability of years in prison, and certain ruin. Think of this, and get information about the EFF. -- Piercarlo Grandi | ARPA: pcg%uk.ac.aber.cs@nsfnet-relay.ac.uk Dept of CS, UCW Aberystwyth | UUCP: ...!mcsun!ukc!aber-cs!pcg Penglais, Aberystwyth SY23 3BZ, UK | INET: pcg@cs.aber.ac.uk