lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: ggilliss at netpublishing.com (Gregory A. Gilliss)
Subject: Re: [FD] Super Worm

Seriously-nudging-up-to-off-topic-but...

You make a good (albeit incomplete) point. You left out that BITD ('88)
security was NOT a line item, since the 'net was, effectively, a finite
and restricted community. Not every damned idiot has a dial-up, and
almost no one had their own private broadband. The many universities and 
private sector companies that were connected served as gateways for 
thousands, not tens of millions, of users. The users, in turn, consisted 
of (mostly) people who would not tamper with the systems because they 
feared (a) disrupting the community, (b) serious reprisals from their 
company/university/sponsor, and (c) they were too busy doing "real" work 
to have excess time left over to play "I-wonder-what-happens-if-I-try-this"
crap. I can remember people (and likely you can as well if you remember
Morris) who would "find" a hole and tell a few people in terms of 
"don't-do-this-it-night-get-you-kicked-off" Shit, back in '88 people
still were playing music on line printer :-o

Fast forward fifteen years (wow). Everybody from Morris (who reputedly
pled out, served probation and was quietly ensconced in NSA along with
his dad) on down to some 85 year old AOL subscriber is online. Worse,
important (read "money") data is being stored on the publicly accessible
'net (remember universities NEVER kept important data like payroll and
grades online >-) And let's not forget the monoculture was not just
sendmail...as I recall, there were PDPs, IBMs, Cybers (IBM clones),
CDC, VAXen, and not much else available in '88 (yes, I'm discounting PCs
because they were often as not used as front end VT100/3270s for the
big iron when they weren't running Lotus or Solitaire - how things change
indeed).

Today's monoculture (and where *is* Dan Geer anyway) of Microsoft OS's
is being, has been and continues to be exploited. The serious increase in
threat postings to this list in the past week indicates that the Winter 
was well spent and that people who have not already done their Spring
cleaning better stay late this week to make sure that they're not
vulnerable.

BTW, anybody who wants to *really* f**k the system these days better
go read up on SNA, because more banks and insurance companies and
hospitals than I know are ditching the "rack-o-Dells" and the requisite
expenses (people, collocation, blah blah blah) in favor of CICS/DB2
through a 3270 emulator. Stupid part is that they're transmitting that
traffic across the 'net - sometimes via VPN, often not. Forget Ethernet,
start scanning for LU6.2 if you want to be truly 31337.

G

On or about 2004.04.19 17:48:31 +0000, Andrew J Caines (A.J.Caines@...plant.com) said:

> But the monoculture of sendmail was the aggravating factor which made its
> impact so significant - a large piece of complex software riddled with
> design flaws, bugs and beyond the ability of any individual to understand
> and control, used by most systems on the net. [I hold fingerd and rshd
> innocent on the grounds that they worked as intended, but were abused.]
> 
> How times don't change.
> 
> Well, actually they do. There was only one Morris scale worm, sendmail was
> improved in important ways (albeit slowly), superior software was adopted
> in significant numbers by informed netizens and those responsible for the
> poorer quality software took more responsibility in using it properly.
> What's more, we had the excuse of naivety and immaturity of software
> design back then.
> 
> I wonder how long before the current monoculture threat to the net is
> addressed as effectively.

-- 
Gregory A. Gilliss, CISSP                              E-mail: greg@...liss.com
Computer Security                             WWW: http://www.gilliss.com/greg/
PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3


Powered by blists - more mailing lists