Help us defend against VMS!

William E. Sommerfeld wesommer at athena.mit.edu
Tue Mar 1 09:36:52 AEST 1988


In article <14433 at oddjob.UChicago.EDU> matt at oddjob.UChicago.EDU (Mr. nEtural) writes:
>Let me add a few words to Barry's many.
>
>When was the last time you heard of a similar break-in against unix
>systems?  The only one I can remember was a couple years ago, and
>source and object-only fixes to the buggy system program were
>circulated almost instantly.

I think that there was another rash of breakins somewhat more recently
(~1 year ago?) which got a lot of press on RISKS among other places.
None of the breakins were due to software bugs per se, but rather to
sloppy protection configurations and overly trusting .rhosts files.

These types of security holes are particularly tricky to deal with,
and sometimes quite easy to exploit; a friend of mine has broken into
Multics systems (though not ones being run by the DoD) using these
techniques with the Multics equivalent of UUCP.  He wound up with a
ring-zero gate - the equivalent of his own private system call - and
had some fun `playing god' before he made a bug report.  He had
reported the same problem earlier, but it was ignored as `not a
security hole'.

					- Bill



More information about the Comp.unix.wizards mailing list