Xref: utzoo comp.protocols.tcp-ip:5240 comp.unix.wizards:12211 Path: utzoo!attcan!uunet!lll-winken!lll-tis!helios.ee.lbl.gov!pasteur!ucbvax!ucsfcgl!seibel From: seibel@cgl.ucsf.edu (George Seibel) Newsgroups: comp.protocols.tcp-ip,comp.unix.wizards Subject: Re: a holiday gift from Robert "wormer" Morris Message-ID: <11226@cgl.ucsf.EDU> Date: 9 Nov 88 03:25:16 GMT References: <1698@cadre.dsl.PITTSBURGH.EDU> <2060@spdcc.COM> <76424@sun.uucp> Sender: daemon@cgl.ucsf.edu Reply-To: seibel@hegel.mmwb.ucsf.edu.UUCP (George Seibel) Distribution: na Organization: UCSF Computer Graphics Lab Lines: 33 In article <76424@sun.uucp> dre%ember@Sun.COM (David Emberson) writes: >In article <2060@spdcc.COM>, eli@spdcc.COM (Steve Elias) writes: >> "Wormer" Morris has quite a career ahead of him, i'll bet. >> he has done us all a favor by benevolently bashing bsd 'security'. >I knew about this sendmail bug at least four years ago, courtesy of Matt >Bishop (now at Dartmouth). He wrote a paper detailing at least a half dozen >holes in the Unix system and methods for constructing trojan horses which was >so dangerous that he responsibly decided not to publish it, but instead to >give selected copies to people who could fix some of the problems. He also >wrote an article for the Usenix newsletter, ;login, which explained how to >write secure setuid shell scripts--a major source of security holes. Matt did >not "benevolently bash" anyone's machines. His behaviour, while unsung by >the press and the Usenet community, is an example of the highest in profession- >al and academic standards. This is the kind of behaviour that we should be >extolling. In all due respect, why? It didn't seem to be very effective in closing the hole in sendmail. Now that everyone is coming out of the woodwork exclaiming that they've known about this bug for years, I can't help but wonder why it wasn't fixed. There were a lot of people running around a couple of weeks ago under the blissful assumption that their computers were reasonably secure - they had done all the "right" things, vis a vis file protections, setuid scripts and the like, and all the while, *anyone* with the appropriate knowledge (and apparently a lot of people had it) could have done *anything* they wanted to your machine! Perhaps that was no great surprise to many readers of this newsgroup. Fine. If that's the way people want it, then let's be up front and print a warning on each copy of system software that ships: "Congratulations! You just bought a fine copy of Unix. Don't keep any files you care about on it." If we have security holes on our machines that are well known, and we do nothing to patch those holes, we are asking for trouble. George Seibel