Path: utzoo!attcan!uunet!husc6!uwvax!rutgers!apple!vsi1!wyse!mips!sultra!dtynan From: dtynan@sultra.UUCP (Der Tynan) Newsgroups: news.sysadmin Subject: Re: Worm/Passwords Message-ID: <2650@sultra.UUCP> Date: 12 Nov 88 02:42:00 GMT References: <22401@cornell.UUCP> <2210005@acf3.NYU.EDU> Organization: Tynan Computers, Sunnyvale, CA Lines: 72 In article <2210005@acf3.NYU.EDU>, rosenblg@acf3.NYU.EDU (Gary J. Rosenblum) writes: > On another note, today I found a student running this wonderful > little ditty, which he named oddly enough virus.c: [program deleted -- don't ask me why, I'm just paranoid I guess] Hmm. I was just talking to Chris Torek about this last week. I discovered that little killer about four years ago, when I was at Megatest. In very few microseconds, I was *the most hated* person in the company. The SA at the time said something along the lines of "You pull a stunt like that again, and you're off the system!". I wrote it as part of a CPU test suite. It's probably the ultimate test of a CPU robustness. If the CPU doesn't panic within an hour, you have a good port (and good hardware). To the best of my knowledge there is no way to kill the program save rebooting the system. Chris tells me that with BSD systems, you can suspend and kill the jobs. Not much good for those of us in the SysV domain. This program is a perfect example of why security can never be "that good". There has to be an accountability. All the wellwishing from Weemba won't change that. Another one mentioned by Ritche (I think), concerns the use of mkdir/chdir, to use up all the inodes. And so it goes. I tend to think of computer security as a balance between security and usefullness. To highlight this, when I was at college, I was a prominent member of the hacker community. We worked with a Decsystem-20. In fact, some of the patches to TOPS-20 were inspired by our work. The computer department improved the security constantly. For those of you familiar with the TOPS-20, the following will be familiar. For example, ALL system manuals were unavailable. You had to reach the level of postgrad to see the system call manual. No access was given to the MACRO assembler. It too was reserved for postgrads. Instead we hand-coded everything, and used 'DEPOSIT' and 'EXAMINE' to do our dirty-work. The department removed those commands from the system. There was no way to generate executables, because the .EXE structure and the .REL structure were complicated, and the documentation was again unavailable. Basically, we ended up writing all our machine-code into FORTRAN arrays, and calling the array (A bug in the compiler). By the time I left, besides EDIT, COMPILE and RUN, there was nothing you could do with the system. I had constant arguments with the system administrator, over the removal of the assembly-language tools. He maintained that we didn't need them. That FORTRAN was sufficient. I, of course, disagreed. Anyway, I think a good development environment, and a secure system are diametrically opposed. Unless you can instill a sense of accountability in your users, you'll never have a secure system. Either that, or you just have everything on cards, and hand-check them :-) > and he effectively halted a small vax (11/750). The immediate > reaction of the powers-that-be, and I must confess I feel this way > at the moment as well, is to make an example of this person to the > user community. So now some stupid little prank will go on the > person's undergrad record (not a big deal overall, but it puts the > "fear of God into him" as one administrator said to me). Just > because this worm, whatever your opinion is of it, received an > overabundance of press coverage. > Gary J. Rosenblum gary@nyu.edu The punishment at UC, Galway (Ireland) for discovering the OPERATOR password, was the "Disciplinary Committee" (think of a Federal Grand Jury when you read that). It was very successful. The Committee consisted of just about everyone of any importance in the college, and a few dignitaries from nearby. The only person I have heard of, who actually came before the DC, was a student in the 19th Century. He claimed that the pigeons outside the main hall were disturbing him, during an examination, so he brought in a shotgun the next day, and successfully anhilated them. Needless to say, he was thrown out. Even now, as I write this, my palms begin to sweat, as I remember our fears of discovery. Perhaps RTM would like to appear before them. - Der -- dtynan@sultra.UUCP (Dermot Tynan @ Tynan Computers) {mips,pyramid}!sultra!dtynan --- God invented alcohol to keep the Irish from taking over the planet ---