Tom Fitzgerald <fitz @
# The point is not whether ALL the crackers knew ALL the holes - the question
# is whether some increase in the amount of cracker knowledge is worthwhile
# anyway given a much greater increase in the amount of administrator
# knowledge. My site (~400 systems in a $1B/year company) is now much better
# off than it was before, because we've changed from a site that was totally
# defenseless against a small number of crackers, into a site that can
# protect itself against a larger number of crackers. Is this an improvement?
# Yes, definitely. I would not go back.
# The only people who lose under the new arrangement are the crackers and
# others who already knew the security holes, since now they're no better off
# than us unwashed masses.
I'm honestly curious about your experience: was it enough to know that
there was a particular class of bug and that it could be worked around
using methods X, Y, and Z (i.e., was the CERT advisory enough info for
you), or did you really need to know the details of how to exploit
this bug in order to analyze the source and fix it yourself?
# > Somebody ought to be able to get an interesting paper out of this
# > experience. How appropriate that it comes almost exactly 5 years after
# > the Morris incident.
# Agreed. I could write it myself. And it's a shame that, 5 years after
# the "forceps and tweezers" approach was used to throw off a massive threat,
# people still think that secrecy is somehow valuable.
I think that the "forceps and tweezers" approach came later, after the
threat had been abated. There was a certain amount of analysis going
on during the heat of the incident, as there always is, but activities
at most sites were limited to treating symptoms: killing sendmail,
killing fingerd, and so forth. Most sites had no idea exactly what
had hit them and how until days or weeks later; they'd just reacted
(quite effectively, in most cases) to the symptoms.
Did knowing exactly how the Morris thing was working help to combat it?
Not really, I don't think. Did learning after the incident about how
it worked help in general? Yes, I think, by pointing out a number of
bugs and raising the general awareness of the sysadmins and users.
Brent Chapman Great Circle Associates
COM 1057 West Dana Street
+1 415 962 0841 Mountain View, CA 94041