home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
The Hacker Chronicles - A…the Computer Underground
/
The Hacker Chronicles - A Tour of the Computer Underground (P-80 Systems).iso
/
cud2
/
cud219b.txt
< prev
next >
Wrap
Text File
|
1992-09-26
|
10KB
|
205 lines
****************************************************************************
>C O M P U T E R U N D E R G R O U N D<
>D I G E S T<
*** Volume 2, Issue #2.19 (December 31, 1990) **
****************************************************************************
MODERATORS: Jim Thomas / Gordon Meyer (TK0JUT2@NIU.bitnet)
ARCHIVISTS: Bob Krause / Alex Smith / Bob Kusumoto
RESIDENT RAPMASTER: Brendan Kehoe
USENET readers can currently receive CuD as alt.society.cu-digest.
COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views. CuD material may be reprinted as long as the source is
cited. Some authors, however, do copyright their material, and those
authors should be contacted for reprint permission.
It is assumed that non-personal mail to the moderators may be reprinted
unless otherwise specified. Readers are encouraged to submit reasoned
articles relating to the Computer Underground.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
DISCLAIMER: The views represented herein do not necessarily represent the
views of the moderators. Contributors assume all responsibility
for assuring that articles submitted do not violate copyright
protections.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
From: Various
Subject: From the Mailbag
Date: December 31, 1990
********************************************************************
*** CuD #2.19: File 2 of 7: From the Mailbag ***
********************************************************************
From: Wes Morgan <morgan@ENGR.UKY.EDU>
Subject: security checks from outside (In CuD 2.18)
Date: Fri, 28 Dec 90 10:12:09 EST
>From: gnu@TOAD.COM
>Subject: Re: "strangers probing for security flaws" -- another view
>
>Suppose there was a free program, available in source code and scrutinized
>by wizards all over the net, that you could run to test your security. If
>you had the time, you might run it and fix up the things it found. If you
>didn't have the time, those things would probably go unfixed.
There are several packages available for UNIX sites. Two that come to
mind are:
- The suite of programs included in "UNIX System Security", by
Kochan and Wood (published by Hayden Books). These programs
will audit your system for such things as world-writable home
directories, world-writable .profiles, and the like. They will
also track down any setuid/setgid files outside of regular sys-
tem directories. I've seen this package on several archive sites,
but I don't know if it's legal to distribute them. If someone
can contact Kochan, Wood, or Hayden Books, and check on this, I'll
gladly get them into the CuD archive.
- COPS, written by Dan Farmer of CERT. This package is EXCELLENT.
The best feature of COPS is an expert system that pseudo-exploits
any holes it finds. It uses /etc/passwd and /etc/group to learn
what the users are capable of. It then looks for a way to assume
the identity of a particular user. It then checks /etc/group to
see what it can access as the new uid. The chain continues until
it either becomes root or runs into a dead end. The output looks
something like this:
write /usr2/admin/morgan/.profile become morgan group staff
write /bin become bin write /etc become root DO ANYTHING
<This output was caused by my .profile being left world-writable>
This is a SUPERIOR package for UNIX sites. It's available from
cert.sei.cmu.edu.
Both of these can be run via cron. I've been running them for several
months now, with excellent results.
>Sites all over the Internet *are* being probed by people who want to do
>them harm. We know this as a fact. I would prefer if we had some
>volunteer "cop on the beat"s who would walk by periodically and rattle the
>door to make sure it's locked.
I have no problems with this at all, *as long as* I know about it in
advance. With the advent of sophisticated security tools such as those
probably used by the group in Italy, it is awfully easy to claim "cop
on the beat" status after being discovered. There was sufficient concern
about the Italians for CERT to issue a Security Advisory about their
activities. I'm not trying to make any allegations against the folks
in Italy; as far as I know, they are exactly what they claim to be. In
the future, however, I'm going to be EXTREMELY wary of people coming in
"out of nowhere" claiming to be "remote security checkers". An ounce of
paranoia, you know........
Wes Morgan
*******************************
From: Thomas Neudecker <tn07+@ANDREW.CMU.EDU>
Subject: Re: Cu Digest, #2.18
Date: Fri, 28 Dec 90 22:56:16 -0500 (EST)
In a recent CuDigest it was argued copyright protection of user interface
code should be eliminated. The author wrote in part:
>While source code should generally be protected, there are times when it
>may be more profitable to a company to release either the source code or
>important information pertaining to it. A prime example is IBM and Apple.
>Apple chose to keep their operating system under close wraps. IBM, in their
>usual wisdom, chose to let some of it fly. This caused the market to be
>flooded with "clone" PC's. Given a choice, most people bought PC's or
>PC-compatibles.
In fact IBM does not own DOS, ask Mr. Gates at Micro Soft he _sells_
licenses to the clones and sues those who try to steal his code (so does
AT&T/U*ix) Bye the way the first series IBM-PCs came with PC-DOS and CP/M.
IBM wanted Gates to write CP/M for the new machine but he said it was
*owned* by Gary Kildall of Digital Research but he try to write something
else just as good. IBM covered all of the bases and licensed both.
Regarding Apple; the ][+ I bought came with copyrighted O/S in ROM. And a
version of BASIC licensed from Micro Soft. (my 1979 version came with a
complete listing of the code for the ROM). For the LISA and the Macintosh
Apple licensed concepts from PARC for the GUI. They then licensed parts of
their developments to Micro Soft for use in Windows.
For more background on these I suggest a good book on the history of the
personal computer written by Paul Freiberger and Michael Swain. It is
"Fire in the Valley" ISBN# 0-88134-121-5.
*****************************************
From: netcom!onymouse@APPLE.COM(John Debert)
Subject: Encryption dangers in Seizures
Date: Sat, 29 Dec 90 11:20 PST
With all the concern about government seizure of someone's computer
equipment for the purported intention of looking for some kind of criminal
activity, encryption is being seriously considered in order to protect
confidential information from Big Brother's prying eyes.
There are various ways, of course, to encrypt files but one particularly
comes to mind as being at least as much hazard as protection.
The use of the "one-time" method of encryption has been considered the best
way to keep information from those not entitled to it but it seems to me a
two-edged sword, if you will, that can cause harm to whomever uses such a
method to keep the government out of their business.
The one time method uses a unique random key of equal length to the data to
be encrypted which is then XOR'ed with the data to produce the encrypted
result. Without the original key, the plaintext is not recoverable. Or is
it?
Now, suppose that someone has used this method to encrypt files on his/her
system and then suppose that Big Brother comes waltzing in with a seizure
warrant, taking the system along with all the files but does not take the
code keys with them. Knowing Big Brother, he will really be determined to
find evidence of a crime and is not necessarily beneath (or above) fudging
just a bit to get that evidence. What's to keep him from fabricating such
evidence by creating code keys that produce precisely the results that they
want-evidence of a crime? Would it not be a relatively simple procedure to
create false evidence by creating a new key using the encrypted files and a
plaintext file that says what they want it to? Using that new key, they
could, in court, decrypt the files and produce the desired result, however
false it may be. How can one defend oneself against such a thing? By
producing the original keys? Whom do you think a court would believe in
such a case?
One should have little trouble seeing the risks posed by encryption.
jd / onymouse@netcom.UUCP netcom!onymouse@apple.com
********************************
From: Andy Jacobson <IZZYAS1@UCLAMVS.BITNET>
Subject: Hackers as a software development tool
Date: Wed, 02 Jan 91 03:49 PST
I received one of those packs of postcards you get with comp. subscription
magazines (Communications Week) that had an unbelievable claim in one of
the ads. I quote from the advertisement, but I in no way promote,
recommend, or endorse this.
"GET DEFENSIVE!
YOU CAN'S SEE THEM BUT YOU KNOW THEY'RE THERE.
Hackers pose an invisible but serious threat to your information system.
Let LeeMah DataCom protect your data with the only data security system
proven impenetrable by over 10,000 hackers in LeeMah Hacker Challenges I
and II. For more information on how to secure your dial-up networks send
this card or call, today!" (Phone number and address deleted.)
So it seems they're claiming that 10,000 hackers (assuming there are that
many!) have hacked their system and failed. Somehow I doubt it. Maybe they
got 10,000 attempts by a team of dedicated hackers, (perhaps employees?)
but has anyone out there heard of the LeeMah Hacker Challenges I and II?
********************************************************************
>> END OF THIS FILE <<
***************************************************************************
Downloaded From P-80 International Information Systems 304-744-2253 12yrs+