The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #177 [Re: comments from people at Bell Labs] (1 message, 1640 bytes)
NOTICE: recognises the rights of all third-party works.


From: Steven Bellovin <hector!smb>
To: phage
Date: Tue 18:08:47 08/11/1988 EST
Subject: Re: comments from people at Bell Labs
References: [Thread Prev: 148] [Thread Next: 149] [Message Prev: 173] [Message Next: 174]

	From: Eliot Lear <[email protected]>

	A friend of mine at Bell Labs informs me that Mr. Morris broke into
	their machines by bombarding one with packets and then masquerading as
	that machine.  Apparently, this guy is a repeat offender.  By the way,
	at least one person took it that I meant to ridicule Morris by posting
	the fact that he was a MILNET TAC user.  Please let me assure people
	that my intentions were to give the community more of an idea of who
	we are dealing with.

Ahem.  As one of the people directly involved in that so-called security
incident (it was my machine that he targeted), let me clarify the situation.

When working for Bell Labs one summer, his job was to port 4.2bsd TCP/IP to
9th Edition.  While immersed in the depths of the code, he thought he
spotted a security hole.  With the full knowledge and consent of other
members of the staff at Bell Labs, he tested this.  He found that yes,
he could indeed successfully spoof IP.  However, it wasn't quite as
simple as he had first thought; however, it was doable.  He then went
and told me about the security hole.  He did not attempt to subvert
my machine; he did not attempt to break in; he did not even announce
his success by using this technique to send me a message.

Even in retrospect, I do not regard this as improper or unethical
behavior on his part.  Probably, he should have called me first and
asked if he could perform this test.  But many others, both hackers and
researchers of the first rank, prefer to find out privately if they're
seeing things; it strikes me as quite reasonable that a college freshman
would want to be certain before approaching someone about a hole in
their system -- and especially when that someone knows (or knew) much
more about TCP/IP than the student in question.  And I had one of the
few 4.2bsd networks availble to him to test against, and I had worked
with him before on other networking and security issues; my machines were
a very logical test point.

Obviously, I've been thinking about that incident a lot recently.  In
fact, I've been musing on what the best fix to that hole is; it's far
from obvious.  I think I now know what to do -- but if you'll forgive me,
I'd rather be certain first that I know what I'm talking about before
I make a fool of myself in public.  And even if I'm right, I may not
publish it any time soon.  Ethically, I must credit Morris with discovery
of the hole; however, it is far from clear to me that he would particularly
want his name attached to another security hole just now, even though
his behavior in that incident was quite proper.

Let me close by pointing out that Morris has neither confessed nor been
convicted; at the very least, it is polite to refer to him as an ``alleged
virus propagator'', and not as a ``repeat offender''.

		--Steve Bellovin