Path: utzoo!utgpu!attcan!uunet!lll-winken!lll-tis!helios.ee.lbl.gov!pasteur!ucbvax!POSTGRES.BERKELEY.EDU!dillon From: dillon@POSTGRES.BERKELEY.EDU (Matt Dillon) Newsgroups: comp.sys.amiga Subject: Re: Internet UNIX (BSD) virus Message-ID: <8811080626.AA16636@postgres.Berkeley.EDU> Date: 8 Nov 88 06:26:56 GMT Sender: daemon@ucbvax.BERKELEY.EDU Lines: 43 Peter da Silva `-_-' peter@sugar.uu.net Writes: >They left themselves open to this attack. This isn't a UNIX problem. This is >a political problem. They decided to go for convenience instead of security, >depending on goodwill and the threat of sanctions to keep people in line. I >suspect that even with this attack it's a good balance for their environment. >The man-hours that would have been lost to general hassles over the years >if these features hadn't been available probably counterbalance the time >spent tracking this sucker down. No we didn't. This *IS* a UNIX problem. This is NOT a political problem (when are pirates&relations ever political?). Do you think that the mere half dozen items you cited are the entire list? Those items are, in fact, the best protected of the lot and STILL have holes. There are many dozens of holes in the UNIX OS and most of them have nothing to do with networking. Threat of sanctions to keep people in line? Hah! >The virus was tracked to its source in a matter of hours. Even the much more >virulent worms that abound in the PC world (more evidence, if any is needed, No it wasn't. Somebody squeeled and somebody else got lucky. Oh sure, they knew the general area, but that was only because the worm was apparently tested a couple weeks before release. Theoretically you would be able to trace it down to the local net using the sendmail log, but many machines either have it turned off or only log a day or two. >the net they'd be hit so hard with so many charges and ill-will they'd never >get a job in this business again. Nope, wrong. Just about everybody agrees that we were lucky. It is very, very easy to break into somebody (possibly non-local-machine's) account and start your virus from there, in which case the trace stops at a deadend. With real time access to 6000 machines, one simply tries to break into, say, 20 at a time (in parallel), never repeating a machine at intervals more than, say, a week. Nobody would notice. Anybody who intended to introduce a real virus wouldn't have much of a problem. Infiltration by password breaking and .rhosts is absurdly simple. Telnet'ing to other machines or simply phoning them via tip (try to trace that!) and breaking passwords would certainly cause havoc, especially if you took pains to make the virus undetectable. -Matt