Firewalls: Re: Death of an old myth...

Firewalls
(November 1993)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Death of an old myth...
From:	Brent Chapman <brent @ mycroft . GreatCircle . COM>
Date:	Mon, 08 Nov 1993 20:16:18 -0800
To:	Tom Fitzgerald <fitz @ wang . com>
Cc:	Firewalls @ greatcircle . com
In-reply-to:	Your message of Mon, 8 Nov 93 22:59:08 EST

Tom Fitzgerald <fitz @
 wang .
 com> writes:

# The point is not whether ALL the crackers knew ALL the holes - the question
# is whether some increase in the amount of cracker knowledge is worthwhile
# anyway given a much greater increase in the amount of administrator
# knowledge.  My site (~400 systems in a $1B/year company) is now much better
# off than it was before, because we've changed from a site that was totally
# defenseless against a small number of crackers, into a site that can
# protect itself against a larger number of crackers.  Is this an improvement?
# Yes, definitely.  I would not go back.
# 
# The only people who lose under the new arrangement are the crackers and
# others who already knew the security holes, since now they're no better off
# than us unwashed masses.

I'm honestly curious about your experience: was it enough to know that
there was a particular class of bug and that it could be worked around
using methods X, Y, and Z (i.e., was the CERT advisory enough info for
you), or did you really need to know the details of how to exploit
this bug in order to analyze the source and fix it yourself?

# > Somebody ought to be able to get an interesting paper out of this
# > experience.  How appropriate that it comes almost exactly 5 years after
# > the Morris incident.
# 
# Agreed.  I could write it myself.  And it's a shame that, 5 years after
# the "forceps and tweezers" approach was used to throw off a massive threat,
# people still think that secrecy is somehow valuable.

I think that the "forceps and tweezers" approach came later, after the
threat had been abated.  There was a certain amount of analysis going
on during the heat of the incident, as there always is, but activities
at most sites were limited to treating symptoms: killing sendmail,
killing fingerd, and so forth.  Most sites had no idea exactly what
had hit them and how until days or weeks later; they'd just reacted
(quite effectively, in most cases) to the symptoms.

Did knowing exactly how the Morris thing was working help to combat it?
Not really, I don't think.  Did learning after the incident about how
it worked help in general?  Yes, I think, by pointing out a number of
bugs and raising the general awareness of the sysadmins and users.


-Brent
--
Brent Chapman                                   Great Circle Associates
Brent @
 GreatCircle .
 COM                           1057 West Dana Street
+1 415 962 0841                                 Mountain View, CA  94041

Follow-Ups:

Re: Death of an old myth...
From: "Perry E. Metzger" <pmetzger @ lehman . com>
Re: Death of an old myth...
From: woods @ ncar . UCAR . EDU (Greg Woods)
Re: Death of an old myth...
From: blymn @ mulga . awadi . com . AU (Brett Lymn)

Indexed By Date	Previous:	Re: Death of an old myth... From: Steve Simmons <scs @ lokkur . dexter . mi . us>
Indexed By Date	Next:	Re: Death of an old myth... From: chasin @ crimelab . com (Scott Chasin)
Indexed By Thread	Previous:	Re: Death of an old myth... From: Richard Threadgill <richardt @ remarque . berkeley . edu>
Indexed By Thread	Next:	Re: Death of an old myth... From: blymn @ mulga . awadi . com . AU (Brett Lymn)