Path: utzoo!utgpu!attcan!uunet!lll-winken!lll-tis!helios.ee.lbl.gov!pasteur!agate!bionet!apple!bloom-beacon!athena.mit.edu!wesommer
From: wesommer@athena.mit.edu (William Sommerfeld)
Newsgroups: comp.protocols.tcp-ip
Subject: Re: Virus - did it infect "secure" machines
Keywords: Kerberos
Message-ID: <7850@bloom-beacon.MIT.EDU>
Date: 7 Nov 88 20:18:47 GMT
References: <1792@sbcs.sunysb.edu>
Sender: daemon@bloom-beacon.MIT.EDU
Reply-To: wesommer@athena.mit.edu (William Sommerfeld)
Organization: Massachusetts Institute of Technology
Lines: 28

[FYI: it's spelled "Kerberos", not "Kerebos"]

In article <1792@sbcs.sunysb.edu> root@sbcs.sunysb.edu (root) writes:
>Does anyone know whether the sendmail virus was able to infect
>the machines protected by Kerberos? 

First of all, machines aren't (directly) protected by Kerberos;
network services are.  So, if you run sendmail with debug turned on,
or a fingerd without the range check, or a normal rlogind while
.rhosts files abound, you're vulnerable.  So, yes, a few people who
administer systems here at Athena were a little careless, and
installed mailers with "debug" enabled, and some even left .rhosts in
places.  

The virus didn't get very far at Athena, mostly thanks to from "second
order effects" of kerberos--our fileservers don't run any more daemons
than they have to, or allow remote logins to mere mortals, and most of
our operations staff have been educated about using passwords which
are in a dictionary.  

>No flames, please, the question
>isn't a statement against Kerberos per se; I just wonder whether
>clever people will always find ways into "secure" Unix boxes.

If you want to have some hope of containing things while connected to
a network, be _very_ careful about the network services you run, and
don't run any more servers than you need.

					- Bill