Interesting People mailing list archives
request for help re SUMEX and the Boucher hearing
From: David Farber <farber () central cis upenn edu>
Date: Mon, 7 Mar 1994 16:49:41 -0500
Posted-Date: Mon, 7 Mar 1994 14:48:52 -0500 To: farber () central cis upenn edu (David Farber) Cc: interesting-people () eff org (interesting-people mailing list), crocker () tis com, vcerf () isoc org Subject: SUMEX; Boucher hearing Date: Mon, 07 Mar 94 14:47:08 -0500 From: Stephen D Crocker <crocker () tis com>
From: werner () rascal ics utexas edu (Werner Uhrig) as Gordon Watts already announced in an article posted to the programmer, comm, and system newsgroups (see Message-ID <gwatts-040394010246 () slip111 fnal gov>) some juvenile got his kicks from breaking into SUMEX last night, deleting files and directories and depositing kiddie porn, leaving behind a pointer to someone's email address (to annoy, no doubt)
Well,... just exactly what went wrong? It's not clear from the message how the system got penetrated. Is this a failure of network architecture, product(s), system administration, or something else? This turns out to be timely. I've just been invited to testify MArch 22 in front of the House Subcommittee on Science, chaired by Rep. Rick Boucher (D-VA) regarding the Internet breakins. Vint Cerf and a few others will be testifying too. Let me use this as an opportunity to ask for help. Vint is also interested in gathering input from the community, so please reply to both of us. Vint asks that replies to him be addressed to vcerf () isoc org subject: congressional testimony I will have five minutes to talk, and I will submit written testimony too. In addition to the direct testimony, there will likely be questions. I plan to cover roughly the following: o The capability for sniffing is increasing, and we must consider the Internet is basically open to this kind of attack. o The minimal protection is to use challenge-response systems or some other form of one time passwords. o A stronger form of protection is to encrypt all traffic. o The technology for doing so has been known for a while. Vendors do not regularly include it, however. o At least part of the problem is that export controls make it unpalatable to include strong protection as a matter of course. o It would be good to have standards for network safety of products. Products should come configured to be safe when plugged into a net, not, as they now are, "unsafe out of the box." I invite comments or pointers to others who might have comments on these points. I will, of course, be expressing my own view, but to the extent that I can get input from the community and shape my message to be consistent with the overall view, I will do so. I'm particularly interested in hearing more about two topics before I start writing: - How widespread was the problem? Who has a picture of all this? Dain Gary from the CERT will be one of the people testifying, and he'll have a moderately complete picture, but I'd like an independent assessment. - What do workstation vendors think about this? I'm particularly interested in contacts within major vendors. Let me know if you know people I should talk to. (I have some names, of course, but don't hold back.) These points may or may not relate to the SUMEX situation. Perhaps something different happened there. Thoughts, comments, suggestions, etc. are all welcome. Thanks, Steve +-------------------------------------+-------------------------------+ | Steve Crocker | Voice: 301-854-6889 | | Trusted Information Systems | FAX: 301-854-5363 | | 3060 Washington Road (Route 97) |-------------------------------| | Glenwood, MD 21738 | Internet: crocker () tis com | +-------------------------------------+-------------------------------+
Current thread:
- request for help re SUMEX and the Boucher hearing David Farber (Mar 07)