publicizing security issues (summary of responses)
Al Filipski
al at mot.UUCP
Fri Mar 29 06:02:53 AEST 1985
A few weeks ago, I posted the following:
> A co-worker and I here have written a paper on "UNIX Security".
> We describe the security features of UNIX, the most well-known
> ways of breaking in, and countermeasures to be taken against
> those who try to break in. The article is similar to the BSTJ
> article which appeared just after we had written ours. We submitted
> our article to a major popular computer magazine. The editor is
> uncertain about possible legal liability should anyone use information
> in the article towards illegal ends. I do not know at this point if
> it will be published or not. I'd like to poll the wizards on this point:
> Is free circulation of this kind of information a good or bad thing?
> I tend to belong to the free-speech school that says that
> dissemination of knowledge is a good thing and will strengthen UNIX
> security in the long run. For one thing, a problem stands a much
> better chance of being fixed if it is well-known. Second, with
> the proliferation of UNIX, there are a great many inexperienced
> administrators out there who are sitting ducks. They are often not
> hackers themselves and are at a disadvantage against people
> who have taken the time and energy to learn security by poking
> around themselves.
>
> Experiences, opinions, facts, arguments, flames, etc. are requested
> via mail and will be summarized.
It generated many responses. 31 people said "publish", unequivocally.
8 people said that publication would generally be a good idea, but
they had some reservations: typical comments by this latter group
were "make sure system administrators see it first", "give generalities,
not specifics", "don't expose things that binary-only sites couldn't do
anything about", "don't expose major holes".
8 people said not to publish, or to publish only to system
administrators somehow. I got a lot of legal advice about whether
I would be sued or not and many requests for copies of the paper.
Well, it looks like BYTE is going to publish the article in a few
months. It's really a pretty innocuous article. The things
discussed are pretty well-known and I removed some detail from the
description of some methods, such as the way of exploiting "local
mode" on the other fellow's terminal to buffer up your own commands.
I tried to give enough information so that someone would know
what to guard against and how, but not to make it easy for the bad guy.
When the article is published, I expect to get half a boatload of
mail saying we gave away the store and another half boatload saying
the article was trivial and incomplete. It IS incomplete. I thought
of more things to say as I was mailing it off. It's a start, though.
As promised, a few selected comments follow:
---------------------------------
Hackers and other criminals already know many of the ways to break
into systems. Only by making administrators aware of these things
can the overall security level of systems be improved. Publish!
---------------------------------
Well, you can be sure that the criminals know about the holes and
the good guys don't care. The only people you'll help are non-wizard
Unix system owners (a growing population) and pimply-faced assholes
with a modem.
An interesting ethical problem. Good luck.
---------------------------------
Please please do. Tell everyone about them and that way if you don't
fix the hole it's your own damn fault when someone uses it.
---------------------------------
I think it is good to publicize security problems, but the way you do
so is important. In the magazine article, try not to give the reader
a cookbook for breaking security. In other words, it is all right to
say:
One of the simplest ways to break security is to find the passwords of
legitimate users. On most systems, a high percentage of the users
will have passwords that are in the dictionary...
This will get your point across without giving people who don't know
anything about unix other than how to break in, another tool to use.
You should not include something like the following in your article.
Below is a program which can be used to crack passwords on a Unix
system.
main(argc,argv)
char *argv[];
...
This is especially true for the kmem hacks. You may mention that on
many systems, kernel memory is readable, but don't include the program
to spy on other peoples input buffers.
. . .
. . .
---------------------------------
Although your article may cause many Unix system administrators to squirm in
their seats, I think it should be published.
---------------------------------
In general I am an advocate of exposing bugs to get them fixed, but
have some reservations on that view. For example, I know of a major security
bug in 4.2 which requires kernel modifications. I'd really like to
circulate it -- but it is also a bug in Ultrix, which is binary only
and poor Ultrix system managers will promptly find out that there is a major
hole they cannot plug, but cannot live with either!
---------------------------------
I say print it and the hell with the flames...
---------------------------------
I, for one, would like to see a good paper on Unix security published
in a major popular computer magazine for a number of reasons, most of
which Bob and I mentioned in the introduction to our BLTJ paper. Good
luck getting it published, and please aim me at it when it comes out.
Fred Grampp
research!ftg
---------------------------------
1. Other things equal, publish.
I think you should publish as much as you know. I agree with you that
it is best in the long run for UNIX if this information is publicised,
even if it might cause temporary embarassment to a few systems administrators,
and so on. UNIX security is pretty bad and the manual promises just enough
token security (what with all that rwx--x--x, etc) to lull the naive into a
false sense of safety.
2. Publishing is probably legal.
You should see a lawyer about this: it will, at least, put spine into
your magazine editor. I am not a lawyer. But I read netnews, so here goes,
. . .
. . .
. . .
---------------------------------
I don't think it's a good idea to publicize security-related bugs.
I agree that dissemination of knowledge is in general a good thing, but
the sad fact is that just communicating a fact doesn't guarantee that
the fact is acted upon instantly.
. . .
. . .
. . .
To sum up, publicizing security-related bugs _to_the_wrong_people_ is
very bad. You have to make sure that they're all people who deserve to
know about the bug, i.e. system administrators and Nice Guys. I'd sure
be interested in getting a copy of your paper, but if "mot" were a
binaries-only site, would you trust me with it? Heh, heh, heh ;-).
---------------------------------
I think that you will be sued, or your publisher will, if the article
is published. I think that this is unfortunate. It is better to make these
things known -- but do you really want the hassle of beign sued?
---------------------------------
I cannot advise on the legal aspects, but I do agree with
with the position taken by Robert Morris+Ken Thompson
in their password security paper:
We did not attempt to hide the security aspects of the operating
system, thereby playing the customary make-believe game in
which weaknesses of the system are not discussed no matter
how apparent.
---------------------------------
Yes, do every thing you can to get the stuff published. If you can't get it
published, put it on the net. If you can't put it on the net ... mail me a copy.
---------------------------------
Having previous experience with "hackers" in the media sense of the word
I would be opposed to publication of such information. If the hackers
would have had such information they could have done a great deal of
damage. Any of the recent items posted to the net about security
should be kept as secret as possible. There are *MANY* site with
*BINARY ONLY* that can't fix the bugs even if they know of them.
Common knowledge of these holes would be disasterous for them.
Locksmiths are not allowed to publish arbitrary pieces of information.
---------------------------------
Knowledge of known problems should be disseminated so that it can be fixed!
---------------------------------
I read your article in net.unix and am quite interested, since I have done
research in the area of computer hacking (I also assist in a course on
computer crime taught here at the U. of Pittsburgh).
I do not think that it is too dangerous to publish such information, since
anyone who wants to learn about breaking into computer systems just has to
subscribe to TAP newsletter (if they're still in existance). When hackers
find such information on their own, it usually travels fast, via computer
bulletin boards set up for the exchange of hacking information (such as
Pirates' Cove BBS in N.Y.).
Also, the journal you may be publishing your article in is probably going
to be read mostly by system administrators or respectable programmers.
The few that MAY read your information and use it to break into a system
will find out anyway, and that is the price we pay for freedom of informa-
tion (one I'm glad to).
---------------------------------
I am not a serious hacker. I do administer a UN*X system for use
by some folks, but that is only a part of my job. I, for one,
would benefit greatly by having a list of what loopholes to plug.
Things that are common knowledge are not a threat, things that
are known to a few would be a big threat to me as I don't have
the time to find them. I vote for publish.
---------------------------------
The plus side might be that hackers poking for the fun of it, who
aren't naturally malicious, would be less likely to do accidental
damage. This isn't a small thing.
---------------------------------
I strongly urge you to publish. I am frankly astonished at the widespread
ostrich-like attitude of many system administrators who post to the net,
as if all the problems will go away if we just don't talk about them.
Penetration analyses of other operating systems appear in the literature
often--just look at SIGOP's journal--apparently without major fuss.
---------------------------------
I believe that security problems should be openly discussed. The best
way to make sure a naive administrator knows what his hackers are doing
is to discuss it in open forum. This will probably lead to a sporadic
attempts by the less sophisicated to crack security, but it's a good object
lesson for all involved. The advanced users already know this stuff.
This should also put more pressure on the system vendors to do it
right. Nothing like a thousand binary only customers full of righteous
anger.
If you start a mailing list, or are interested in distributing your paper
please let us know.
---------------------------------
Anthony,
My immediate reaction, which I am sure is no surprise to you, is
to not publish it in the magazine unless it is thoroughly sanitized.
A question that comes to mind is what group of folks do you want to
recognize you as a Unix security guru? If it is the Unix hackers, then it the
magazine will acheive this. If it is the security faction, then the security
forum is the place.
I beleive in free speech also, and have been burned by not being able
to publish exciting results because they are sensitive. Or worse yet having
to change the exciting results to a releasable form that begs the issue. This
what happened with my covert channel analysis stuff.
The risk of publishing it in the magazine is getting labeled as
irresponsible (I dont mean this the way it sounds, but have tried to write
this sentence numerous times and can not do better.).
It is definitely time for us to go get a beer and talk some things
over.
---------------------------------
Philosophically, I'm of the opinion that security problems should be published
as widely and as publically as possible. I think the only way vendors will
ever be convinced they should fix security problems is for enough people [who
care about security - a lot don't] to scream at them; the only way people will
ever learn what to scream about is for people who know what the problems are
to tell them.
On a practical level, however, people who do publish such things widely tend
to get a lot of flack.
---------------------------------
I agree. Publish it all. This makes things better. I am sure
that malicious hacker types cringe everytime they see another one
of "their secrets" made known to all of their potential victims.
---------------------------------
I think you are fairly safe in publishing it, but I'm no lawyer.
The original UNIX Security papers appear in the UNIX manual sets,
and they haven't been sued over it...
==============================================================================
--------------------------------
Alan Filipski, UNIX group, Motorola Microsystems, Tempe, AZ U.S.A
{allegra | ihnp4 } ! sftig ! mot ! al
{seismo | ihnp4 } ! ut-sally ! oakhill ! mot ! al
--------------------------------
If not now - whom? If not me - when?
More information about the Comp.unix.wizards
mailing list