- - - - - - - - - Subject: Re: SunOS ? From: digital (Patrick K. Kroupa) Message-ID: <2VLo3B9w165w@mindvox.phantom.com> References: Date: Tue, 27 Apr 93 16:10:24 EDT Organization: [Phantom Access] / the MindVox system ian (Ian Bainbridge) writes: > > What's happening with SunOS? I heard from a friend that netcom > crashed and their entire password file is gone, Bob Rieger who is known > for being more then a little crazed is threatening to sue everyone in > sight, the World was down for the night, its almost like every Sun system > is going offline did a virus go off? Nah, [PoWeRwEEnie]: Hmmmmm, say, I just realized . . . if you chown a shell that has SUID set to daemon and then type sync 18 times in a row between the hours of 3 and 3:14 GMT, this will cause a kernel page fault failure that lets me link /usr/lib/.xAjdfaixX-idfsd into the heat sink, and all I need is half a tube of toothpaste, some dental floss, and a partially congealed can of gcc AND I AM R()oT!@# This also makes NN wake up and realize that it's being held in thrall by countless fingers typing boring shit, but now it is FREED to dance madly and leap about and frolic amongst the ASCII and escape from the drivel that is usually force fed through its electronic gullet and, hmmmmm, gosh, it's just SO OBVIOUS! And NOW I HAVE **THE POWER!** Muhahahahahahah, except, right now . . . I have to go watch Dr. Who, this is the one with the sand people who roll across the desert in garbage pails, and its supplies a beautiful metaphor for human existence and its relation to Surface Mounted Devices. [Sun]: There aren't any problems we're aware of! What happens and what it means: Having shell on any Sun right around now, also means you have root on it. This can range from being sorta annoying, to super_bad, depending on whom the users are. On a public access unix, its probably NOT a real good thing. Most public access unix's run offa Suns. Sun will enter denial, seek therapy when a fire is lit under its ass by a growing number of progressively crazier and angrier people, and in a month or so A NEW PATCH will quietly appear on the Sun ftp site. In 5 months CERT will post a PRIORITY NETWORK EMERGENCY UPDATE!@#!#@ and some time in 1997 this hole will be used to crack Shiabatsu Pharmaceuticals in Tokyo and a 14 year old will download the secret of immortality and trade it to Bill Gates for a lifetime supply of 3do carts. Translated: Kernel's broke, if it needs source code to fix it, chaos will ensue for a while. If it doesn't, a SECRET PATCH will be distributed through the usual suspects, the SECRET PATCH will hit cookbook format in another 3-5 months and propagate to CERT, where everyone will run around in little circles for a while, and those so predisposed, will wreak havok. Then it'll all die down and be forgotten for a while until 6 months later when Eugene stares at the ceiling and goes, "hmmmmm, now what if . . ." This has no direct effect on Vox since (drum roll) nobody has shells except for those pesky people who keep deleting utmp and making secret hidden directories that have to be fsck'd out, but besides us, them, the Secret Service's back door, and the various daemons that eat processes at random when they aren't killing each other, everything is just fine unless SOME PEOPLE "secure" ftp at 3am in response to WhEREZ ftPP!!!????!?!?!?!?! I WILL DIE WITHOUT WAReZ!!!@#!!!! And so the world turns. Objectively speaking its all pretty amusing -- Subjectively speaking, after too many hours, it attains the same kinda entertaining quality that all of life has when you don't sleep anymore, because nothing is really real, except this cigarette which has gone out, and AC/DC playing BIG BALLS on a beat up tape machine, although I s'pose that really soon now the Sensitive Save The Rain Forest people from next door will knock upon ours and let us know that we're drowning out the Soothing Strains of New Age music. Ahhh well. Patrick - - - - - - - - - Subject: Re: SunOS ? From: enzyme (David Pincus) Message-ID: <3iPo3B2w165w@mindvox.phantom.com> Date: Tue, 27 Apr 93 17:29:01 EDT In-Reply-To: <2VLo3B9w165w@mindvox.phantom.com> Organization: [Phantom Access] / the MindVox system pat, it's getting scary, I understood you, now i know I'm really ready for MIT - - - - - - - - - Subject: Re: SunOS ? From: stimpy (Matt Holdrege) Message-ID: <4aso3B1w165w@mindvox.phantom.com> References: <2VLo3B9w165w@mindvox.phantom.com> Date: Tue, 27 Apr 93 18:29:02 EDT Organization: [Phantom Access] / the MindVox system digital (Patrick K. Kroupa) writes: > And so the world turns. Objectively speaking its all pretty amusing -- Being objective myself, it's downright hilarious. Stimpy@mindvox.phantom.com "I am what I am and that's all that I am" - Popeye the sailor man - - - - - - - - - Subject: Re: SunOS ? From: paulk (Paul Kerrios) Message-ID: <5c0o3B3w165w@mindvox.phantom.com> References: <4aso3B1w165w@mindvox.phantom.com> Date: Wed, 28 Apr 93 00:37:27 EDT Organization: [Phantom Access] / the MindVox system stimpy (Matt Holdrege) writes: > digital (Patrick K. Kroupa) writes: > > > And so the world turns. Objectively speaking its all pretty amusing - > > Being objective myself, it's downright hilarious. Agreed, nice summary of the Sun "patch process" :-) //=======================================\\ Paul Kerrios /=/ Society has made me what I am today. \=\ \=\ Ok so maybe I just watch too much TV! /=/ \\=======paulk@mindvox.phantom.com=======// - - - - - - - - - Subject: Re: SunOS ? From: chemist (The Chemist) Message-ID: Date: Thu, 29 Apr 93 00:16:05 EDT In-Reply-To: Organization: [Phantom Access] / the MindVox system It's a spooky week, SunOS is fucked badly by something wicked. Cruising some pubic access sites they are shitting in their pants, you guys are lucky you don't run shells :) Still no fixes from "the usual suspects"? :) -tC - - - - - - - - - Subject: Re: what the fuck is going on? From: ian (Ian Bainbridge) Message-ID: <1Rqo5B2w165w@mindvox.phantom.com> Date: Sat, 05 Jun 93 15:03:11 EDT In-Reply-To: Organization: [Phantom Access] / the MindVox system What I never understood was why it always comes down to this handful of people who number less then 100 who between them can never get along, spend their time calling each other names and stealing each others programs, invading their systems and between them deciding what 100,000's people get to do with their online time or not. I don't care for PSI more then the next guy, but i find it impossible to understand why all of you act this way from the 14year old loose cannons all the way to Gene Spafford and his ilk who perpetuate this veil of secrecy and mystery around everything and make people want to go to war over these toolkits that don't do anything except destroy systems. Can you imagine how much better everything would work on the internet right now, nevermind the internet on Vox itself if the people running it weren't spending god knows how much time making sure that someone else isn't going to destory the system. If all of you made the tools available to all, it would solve things so much faster. ian ################# @ #Ian Bainbridge # mindvox. # ############################################### phantom. # I am not responsible for my opinons, I don't know or care! # com ############################################################### - - - - - - - - - Subject: Re: what the fuck is going on? From: mycroft (Keith Kushner) Message-ID: Date: Sat, 05 Jun 93 16:23:53 EDT In-Reply-To: Organization: [Phantom Access] / the MindVox system The truth is that Al Gore, Janet Reno, the FBI, SS, and DEA are behind it all. Using government computers they're engaged in a campaign of hacking into every system they can (remember, Khoresh had a fairly sophisticated computer system) preparatory to issuing warrants for them, using the usual excuses of "child porn," "copyrighted software," "AT&T secrets," "National Security," or "Instructions on how to make fireworks," not to mention planting files for their Gestapo to "find." Ultimately, their plan is to confiscate several billion dollars worth of equipment, and force whatever systems still exist afterwards to allow the government free access through backdoors to all of them. - - - - - - - - - Subject: Re: what the fuck is going on? From: kieran (Aaron Dickey) Message-ID: References: <1Rqo5B2w165w@mindvox.phantom.com> Date: Sat, 05 Jun 93 16:39:42 EDT Organization: [Phantom Access] / the MindVox system ian (Ian Bainbridge) writes: > I don't care for PSI more then the next guy, but i find it impossible to > understand why all of you act this way from the 14year old loose cannons > all the way to Gene Spafford and his ilk who perpetuate this veil of > secrecy and mystery around everything and make people want to go to war > over these toolkits that don't do anything except destroy systems. > > If all of you made the tools available to all, it would solve things so > much faster. ::clap clap clap:: Hurrah and amen, ian! I too am tired of the faux "el33tness" that's pervading the Net to the point where you can't even get a straight answer to a question asked on alt.irc. Nobody cares about "freedom of information"; they just don't want the holes plugged up so that they can keep on playing their games and taunting others with "I know more than YOU do, nyah!" ----------------------------------------------------------------------------- Aaron Dickey Internet: kieran@phantom.com, adickey@muvms6.mu.wvnet.edu ----------------------------------------------------------------------------- Remember Catherine Cornelius! Reno in '96! - - - - - - - - - Subject: The SkYie is Fawling From: digital (Patrick K. Kroupa) Message-ID: Date: Sat, 05 Jun 93 20:06:40 EDT In-Reply-To: Organization: [Phantom Access] / the MindVox system Ummm . . . "the underground" is a lot like any other underground, it's not BLATANT; it's subtle. Obtaining "wArEz" that do neat trix, is sorta analagous to buying drugs. Obviously you can buy them anywhere, but there's a very wide spectrum of gradiation beween scoring a nickle bag and setting up a deal for 200 kilos of heroin. The former is not such a big deal, while people kill each other over the latter. You can grab password hackers, various utilities, toys, shit like that, from half a dozen ftp sites; sometime in the near future we'll put a lot of it online, it's pretty much public domain and all of 'em do shades of the same thing. Toolkits are . . . a little different, basically if they do things which are useful, they tend to contain proprietary source code which does not belong to you; in fact it usually belongs to corporations who make a living by selling workstations and operating systems to clients who purchase their equipment with the intent of using it for something other than playing hide and seek with people on a mission from god -- these same people frequently run very large, expensive networks, full of important and confidential information about such secrets of the universe as their forthcoming NEW KIND of dogfood, that can be cracked when you apply 4 year old holes out of CERT SECURITY UPDATES. Keeping all this in mind, these other people who sell the systems, like oh, say for example Sun and AT&T, have this strange habit of becoming hysterical when their source code floats out over the net and start calling THEM and shouting about felonies. And then PeOple who don't make their saving throws can g() 2 Jayle. All sorts of neat tangents and facets and curves and angles and things also get mixed into this equation, which have big names like corporate espionage, but actually narrow down to much simpler concepts like: WE HATE YOU AND WANT TO EAT YOUR LIFE. Wars are about all the usual highly important things that all wars are about -- which is to say; politics, idealogy, and most especially, who is a lame fucking loser and who is the current stud-g0d of eunuchs. Patrick L0Do()m -TKOS!- (Apple)(Mafia) -~/LorDs AnOnym0us/~- []Klaus Barbie [>oLls ElyTE[] PS: I will trade all issues of CORE, the SunOS div/mul bug, 192 jpg's of Tra References: Date: Sat, 04 Sep 93 00:58:14 EDT Organization: [Phantom Access] / the MindVox system tgitm (TGiTM Inc.) writes: > I'm curious what otehrs impression of the C2 security module is. > I know it's supposed to be "the best" security you can get but it seems to > me all that it accomplishes is extensive logging and who is really going > to plow through all those logs every day? I have a client who is just > about on the brink of purchasing it and I was wondering what otehrs > thought about it. Who is going to plow through all those logs? Well, for one thing it is easy to set up an agent program or expert system type filter to scan the logs for suspicious stuff and then send e-mail to root or sysadmin. I believe C2 classifies security breaches into several levels, level 1 being something minor like attempting to read a file without permission, to level 9 being something like the finding of a SUID root shell in someone's directory during the nightly security scan. It's all configurable anyway, so you can turn off various parts of it. In my opinion COPS + Tripwire + tcpwrappers does a very decent job against 99.9999% of the hackers out there. Also, if you prevent access to a shell by implementing a menu system, you're preventing hackers from using the compiler to try out various holes as well. I feel that COPS + Tripwire + tcpwrappers + no shell access + secure sendmail + no fingerd + no ftpd = as close to 100% secure Unix as you will likely ever obtain. Thug ############################################################################## # Murdering Thug # # thug@mindvox.phantom.com # ############################################################################## - - - - - - - - - Subject: Re: C2 From: gjb (Gregory J. Brail) Message-ID: <6LTF0B1w165w@mindvox.phantom.com> References: Date: Mon, 06 Sep 93 00:14:04 EDT Organization: [Phantom Access] / the MindVox system tgitm (TGiTM Inc.) writes: > I'm curious what otehrs impression of the C2 security module is. > I know it's supposed to be "the best" security you can get but it seems to > me all that it accomplishes is extensive logging and who is really going > to plow through all those logs every day? I have a client who is just > about on the brink of purchasing it and I was wondering what otehrs > thought about it. Do you mean the "C2" security in SunOS 4.1.X? This is certainly not the "best security you can get". In particular, it allows logging of everything done on the system, which is a requirement to get a C2 certification. It also makes it more difficult to read the encrypted passwords, which is something any "secure" UNIX ought to do anyway. Of course, it's still pretty easy to read the passwords if you use NIS unless you take precautions. Regardless, installing any "security enhancement" package won't get you better security unless your administrators and security-types actually monitor what's going on with the system and do stuff like check if sensitive files have been modified or looked at, and look for other suspicious stuff. If your systems are connected to a network, you have a lot more suspicious things that can happen. And you must keep up with your OS vendor you can install any security-related bug fixes they make available. Incidentially, "C2" is one of the security ratings established by the National Computer Security Center (?) (NCSC). To get such a rating, the OS must provide some features (and a few the Sun "C2" package doesn't give you). The NCSC must also examine the system and decide if it qualifies. To my knowledge, Sun's "C2" package has not been examined by the NCSC, so it isn't really C2. Some vendors provide B1- or B2-level UNIXes, which are considerably more security, although I imagine they're more difficult to use. The highest possible security rating is A1, which means that every piece of the system has been rigorosly proven to be free of security holes. No existing operating systems meet this criteria. greg - - - - - - - - - Subject: Re: C2 From: tgitm (TGiTM Inc.) Message-ID: Date: Mon, 06 Sep 93 00:58:21 EDT In-Reply-To: <6LTF0B1w165w@mindvox.phantom.com> Organization: [Phantom Access] / the MindVox system I wasn't referring to the C2 that Sun provides, sorry if that was misleading. I simply meant getting the sytem to meet C2 certification. I realize that it is necessary to have a full-time security person to keep things tight but when you do security contracting a lot of companies will only hire you for a checkup once in awhile. Thus it is up to the security you've installed to hold its own with basically stupid admins until the next time they decided to dish out the $ to you. I have only had occasional problems(very rarely) where someone has penetrated a system I have finished securing but that is to be expected in a field that changes as fast as security does. I guess my original question was what everyone thought of C2 certified systems as far as ease of use and securitwise. #kill all #exit - - - - - - - - - Subject: Re: what the fuck is going on? From: scott (Scott D. Yelich) Message-ID: <9c3oBc2w165w@mindvox.phantom.com> References: Date: Tue, 19 Oct 93 21:08:43 EDT Organization: [MindVox] / Phantom Access Technologies / (+1 800-MindVox) stimpy (Stimpson J. Cat) writes: > It takes intimate knowledge of the operating system and network to truly > lock out a hacker. It also takes strict policies on passwords, protections > and such. It's virtually impossible to lock out a determined hacker if your hosts are connected to a network. Scott - - - - - - - - - Subject: Re: what the fuck is going on? From: thug (Murdering Thug) Message-ID: <6uLacc1w165w@mindvox.phantom.com> References: Date: Sun, 31 Oct 93 11:19:28 EST Organization: [MindVox] / Phantom Access Technologies / (+1 800-MindVox) inf (tom crimi) writes: > Security is barly existant today and will only get less so tomorrow. > The only place where ideas and thoughts are secure today is in your brain > (assumming noone tortures it out of you). As soon as you speak, type, > draw or write it out it's already insecure. > One great thing for security is AI. But AI could evetually be fooled or > what if the AI spies on you :). Computer security today is a fucking joke. Even the companies who are supposed to have the toughest security (TRW, Lockheed, Grumman, etc..) were all broken into by teens from groups like MOD & LOD. True computer security may only be obtained with the intelligent use of cryptographic technology. This would include encrypted file systems, kerberos-style login authentication, and AI programs which would monitor _everything_ that is logged for suspicious activity. That type of system is several orders of magnitude more secure than anything in use by the Fortune 500 today. Thug ############################################################################## # Murdering Thug # # thug@mindvox.phantom.com # ############################################################################## - - - - - - - - -