North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
The good old days (was Re: M$SQL cleanup incentives)
- From: Sean Donelan
- Date: Mon Feb 24 03:16:15 2003
On Sat, 22 Feb 2003, William Allen Simpson wrote:
> > I see. So you're still filtering port 25 from the Morris sendmail worm.
> Funny thing, I was a researcher visiting at Cornell, and had just left
> in the car for the 9.5 hour drive home when it struck. I've often
> wished I'd stuck around for a few more hours for the excitement.
> Anyway, we didn't need to put in a long term block, as everyone took
> down their systems and cleaned them. I didn't even find out about the
> problem until over a day later, by which time it was long gone.
> Ah, the days when we all cooperated....
In 1988 we had ad-hoc responses, with people posting to various USENET
newsgroups or some mailing lists still working, about what they were
seeing and how to fix it. There was no CERT, BBN (and others)
disconnected from the net (and took many people downstream with them),
even though most people knew each other they didn't all have alternate
contact information, and most of the methods the Morris worm used in 1988
are still being used *effectively* today.
1) Backdoor in SENDMAIL
2) Buffer overflow in Fingerd
3) Password guessing in Rsh/Rexec
Some people blocked the ports used. Some people still block ports such
as Finger (79) and rsh/rexec (513/514). But generally ports were blocked
by the local institution, not on the ARPANET.
The version numbers change, the executables change, but the basic problems
haven't changed in 30 years.
We still have backdoors, buffer overflows and pasword guessing. We still
have ad-hoc response by people sharing solutions on mailing lists. The
people who cut themselves off from the open process are still slower to
get stuff fixed. And we still have weak methods for contacting people
through alternate methods.
I wish it was as easy as paying a managed security company to watch out
for me. But unfortunately, paying several thousand dollars for the
privilege of getting "confidential alerts" which look amazingly similar
to what I wrote on a public mailing list a few hours earlier is a bit