Path: utzoo!yunexus!geac!syntron!jtsv16!uunet!husc6!cmcl2!rutgers!bellcore!tness7!texbell!ssbn!bill From: bill@ssbn.WLK.COM (Bill Kennedy) Newsgroups: news.sysadmin Subject: Re: Security checkup Keywords: security intruder self-help Message-ID: <233@ssbn.WLK.COM> Date: 5 Oct 88 05:16:20 GMT Article-I.D.: ssbn.233 References: <167@carpet.WLK.COM> <1454@lznv.ATT.COM> Reply-To: bill@ssbn.WLK.COM (Bill Kennedy) Distribution: na Organization: W.L. Kennedy Jr. and Associates, Pipe Creek, TX Lines: 82 In article <1454@lznv.ATT.COM> ziegler@lznv.ATT.COM (J.ZIEGLER) writes: >In article <167@carpet.WLK.COM>, bill@carpet.WLK.COM (Bill Kennedy) writes: [ deleting what I wrote ] > >Please, please, please!! Anyone with knowledge enough to answer >this question, DO NOT POST IT TO THE NET!!!! Electronic mail and >net postings are grossly inappropriate places to discuss security. Darn it Joe, you're wrong, dead wrong! You're reacting as though we're publishing the latest technique. That's not what I asked and it's not what's coming back. Rather than just arbitrarily flog you, let me provide an example. Gene Spafford says that "at" can be a problem and if you don't need it, get rid of it. There's a world of difference between what he said and what I read from your article "For God's sake don't show 'em how to use `at' to crack" Not a bit. Gene, a generally accepted veteran says "if you don't need `at' get rid of it". I've been an SA for three years, I didn't know that, so I went and looked. Guess what? Gene's as dead right as you are dead wrong. Will I share the technique? Not on your life! BTW no one need try "at" at ssbn. >If you have recommendations about books or articles to read, those >can be posted. Specific recommendations should be communicated in >person or by telephone. That guarantees connectivity delays that could be moot before they were heard. Sorry Joe, the sky isn't falling (nor did you say it was). This is where the rubber meets the road and the articles and email I have collected thus far have been immensely useful. (small) flame on... You're representative of the paranoia that makes learning so difficult. Your remarks reinforce a comment (made in ironic jest) that UNIX is an "oral tradition". Don't look through a cellophane navel, those people are out there. I asked for some simple things to check. I got 'em, thousands of others did too. If it only triggered an awareness, I'm right are you're wrong. (small) flame off.. > Hackers do not need encouragement or >challenges, much less the helpful hints that such responses would >undoubtedly contain. 'Nuff said. > > Joe Ziegler > AT&T Bell Laboratories > att!lznv!ziegler > >The opinions expressed are the explicit policy of my company. I have seen nothing posted or in mail that even hinted at technique. I would be standing by your flagpole satuting with you if someone had said anything about "how". I asked "what", the responses are "what", 'Nuff said. Cheap shot on... In almost every response, posted or not, people say "NO ACCOUNTS WITH NO PASSWORD, NOT EVEN nuucp!" >The opinions expressed are the explicit policy of my company. Then why does your company have uucp logins without passwords? I agree with Jonathan (SA att-mt) that anyone could masquerade as anyone else, but dammit! Not without a valid password! Cheap shot off.. I took up space and bandwidth (rather a lot of it) to show the myopia that we have. My apologies to Joe, he didn't know he was waltzing into my minefield. What's more important is that he (Joe) is in the majority. He thinks it's *wrong* to think or talk about good security health. God love him, he has missed the entire point. We're *all* out here, we're *all* vulnerable. I welcome all the email I got, I'm preparing a summary for the net. The summary, like what I've read here so far, will contain no technique, just preventative medicine. -- Bill Kennedy usenet {killer,att,rutgers,sun!daver,uunet!bigtex}!ssbn!bill internet bill@ssbn.WLK.COM