The security of UNIX

ron%brl-bmd at sri-unix.UUCP ron%brl-bmd at sri-unix.UUCP
Tue Jun 28 11:10:21 AEST 1983 

From:      Ron Natalie <ron at brl-bmd>

I'm sorry, but I must disagree with you.  Being from some of the
more paranoid sites, we have fixed a lot of the bugs that we have
found (or experienced I might say) that relate to both system
security (like breaking in, reading protected files, etc...) and
just plain performance pains (like the process fork-a-holics).
I would like to know about **any** bugs (one of the main reasons
for lists of this type) so that I can fix them.  If you really
feel threatened you should read the list and plug the holes, as
someone might find them even if they are not reading UNIX-WIZARDS.

Perhaps we can reach a compromise by suggesting that security type
bugs be accompanied by fixes or suggestions to avoid them.  Hiding
the fact that bugs exist may keep some of the less experienced hackers
from breaking things, but will also keep the system maintainers
from defending their systems against the more experienced goons.

I came from a University who had a student run computer, and I worked
both sides of the wall (both breaker and fixer).  We had no UNIX-WIZARDS
then, we only knew of the existance of a bug when the breaker was
either flamboyant or sloppy enough to make it known to the rest of us
what was happening.  Real trivial errors were fixed immediately
but since there was no way to inform the other sites about the bug,
the mischievous just hopped on (using "stolen" telephone numbers)
on a TIP and blew away some poor unsuspecting system accross the
ARPANET.  Our only respite was the UNIX conferences, where security
was discussed by the few real UNIX gurus at the time, in bull sessions
in the dorm of the University sponsoring the conference.

The type of system maintainer who does not correct bugs in his
system that are called to his attention from UNIX-WIZARDS, probably
has some well known security problems that people are already
exploiting (that they didn't obtain by reading UNIX-WIZARDS either).
While I do not condone the use of this list as a source of ways to
break security, I don't think that sticking our heads in the sand
will make the problems go away.  I feel our best bet is to keep
informed.

-Ron

More information about the Comp.unix.wizards mailing list