[108325] in Cypherpunks
Eskimo North: The Unix Un-Illuminati Homeworld
daemon@ATHENA.MIT.EDU (Mike Duvos)
Fri Feb 12 02:48:13 1999
Date: Thu, 11 Feb 1999 23:34:49 -0800
To: cypherpunks@cyberpass.net
From: r00t@eskimo.com (Mike Duvos)
Reply-To: r00t@eskimo.com (Mike Duvos)
I just had the enjoyable experience of being a customer on Eskimo
North, a Seattle ISP, for an entire three days, at a total cost
of $48 dollars. And let me tell you, I got my full $48 dollars
worth of entertainment during that time.
Eskimo, it seems, has invented a new approach to Unix system
security which goes beyond "security by obscurity," and might
best be termed "security by culling the technically competent
from the userbase."
Due to some recent attrition in the services offered by various
public access modem pools in the area, I decided last weekend
that it was probably time to get an another account on an ISP
with a local dialup presence. After some web grepping, I decided
on Eskimo North, which had been in business for a number of
years, and offered full-featured Unix shell accounts and SLIP/PPP
emulation for $18 a month.
I filled out the online form on Saturday for a free two week
trial, and on Sunday, a nice person called me to validate the
account, and assured me it would be available by morning.
So far, so good, I thought. They seem like nice people.
Monday arrived. I called the provider, attempted to log in, and
my account wasn't there. Fearing I had perhaps mistyped the
password the single time it was requested on the online form, I
called the help desk, and received the explanation - "Uh, I just
got in." I was assured the account would be up "sometime in the
afternoon."
Lo and Behold, when I called in the afternoon, it was up. So
far, so good, I thought.
I logged on to the machine, and discovered a shell server with a
loadav of 40, and 30 second response time to do a "cd." I found
this somewhat curious, since the box had 384 meg, and 92 users,
few of whom appeared to be doing anything other than sitting in
shells twiddling their thumbs. There were a few copies of Pine
running, and one IRC. Curiously enough for a "full-featured"
shell server, there were no telnets, rlogins, screens, gcc's, or
flavors of shells other than the "esh" used to provide menu
access to mail and news for the unIlluminati.
I touched .hushlogin to get rid of the slow annoying login
message which took forever, changed my shell to
/usr/local/bin/bash, and set up a .profile with all the things
which should have been in /etc/profile, like MANPATH.
The next time I logged in, the perms on "chsh" had been removed
and it was no longer able to be executed by users.
Hmmmm.
I started customizing my account, set up procmail, subscribed to
Cypherpunks, and set up a .screenrc. When I typed "screen
BitchX", I got no color at all, and discovered their copy of
screen pre-dated ANSI color support. I grabbed a new one from
the GNU site and compiled it. tin, Lynx, and a bunch of other
things were old too, and I made a mental note to compile those
when I got the chance. The BitchX on the system had been
compiled in "Public Access" mode, which made it impossible to
save any settings, or use most of the features. Yet more
compiling.
However, I was very pleased to see that the load on the shell
machine had dropped to 42 users, and I was actually getting good
response time. Since I would be using the system mostly in the
evenings, and the dialup lines seemed adaquate, I sent them a
money order $48 for three months the next day, which was Tuesday.
Wednesday, I got a nice email from "Nanook" thanking me for
subscribing, and asking me to tell everyone how wonderful his
system was, because it saved them advertising dollars.
Crypto support was non-existant. Elm was not PGP-Enabled, and
Lynx did not contain the SSL mods. I posted a short note in a
local newsgroup asking if anyone would be interested in an
SSL-enabled Lynx, and retired.
Thursday, I experienced Eskimo phone lines from Hell. There were
messages from other users distressed over not being able to
maintain a connection for more than 3-4 minutes. I dialed into
the public library system, and telnetted from there. Ironic, I
thought, that I was using a public dialup system to get to the
system I had subscribed to in order to have dialup access without
going through a public dialup system. Will wonders never cease.
When I got on and checked my mail, I had a cautionary note from
the tech support person, who had seen my newsgroup post on
Lynx/SSL, and he told me he had such a version in his ~/bin dir
which I could use. He asked me not to mention Lynx HTTPS support
again in public, because it might create "liability" if someone
accessing Eskimo from another network entered a credit card
number, and had it sniffed over the insecure part of their link.
I responded and thanked him for the SSL-enabled Lynx, and told
him he could link to my lovely new screen which did ANSI color if
he liked. I also inquired if he was planning on upgrading to
Solaris, and if he had any security problems running his antique
SunOS 4.x on the Net.
I got a reply in which he ridiculed "Slowaris" and stated that
his machine was locked down tight, and had not been rooted since
1995. (Snort)
Now, I've seen Solaris load-balance rings around SunOS, with a
hundred users doing serious work on a 128M box, and unlike the
384M Multiprocessor Eskimo shell server, you don't get a 15
second pause in your telnet session because someone else has
typed "Pine."
One thing I also found a bit odd was that Eskimo encourages
people to subscribe for multi-year periods, and has a clause in
their AUP which states that if your account is cancelled for
"abuse," they get to keep your money. This is accompanied by a
somewhat snide and cryptic comment that "If you don't abuse the
system, you have nothing to worry about."
They also have a signon message which reads...
"This system is for the use of authorized users only.
Usage is subjected to monitoring and recording. Anyone
using this system expressly consents to such monitoring
and is advised that if such monitoring reveals possible
evidence of criminal activity, system personnel may
provide the evidence from such monitoring to law
enforcement officials."
This didn't sound particularly friendly, but I suppose any ISP
can read your Email, so I ignored it and pushed merrily onwards.
I used the system a bit more that afternoon. I visited CERT and
Rootshell, and read about the latest Unix problems. I did a few
"ps" commands to see what was running. I did a "ypcat passwd
|wc" and was surprised to see they had only a little over 3,000
passwd file entries, which seemed a small number of users for the
amount of hardware they had running. I browsed through /bin,
/usr/bin, and /usr/local/bin. I set up "ls" to do color. Being
curious as to the boast of the system being unrootable, I checked
the usual things dense sysadmins sometimes forget about, like not
statically linking login, and leaving directories comtaining
problematical suid root utilities able to be executed by users. I
perturbed my library path and some enviromnent variables, and
checked to see that a couple of system programs were smart enough
not to use them.
Then I read news, looked at local headlines, and had dinner.
Later that evening, I was sitting in IRC chatting with some
friends and I got bumped off again. I dialed back in, and was
greeted by "Your account has been terminated for abuse."
I then called the crack customer service desk, and after
identifying myself, received the explanation that "Uh, you tried
to get our password file, didn't you?"
"The passwd file is public under Unix, I replied. I did count
the entries. Perhaps you are thinking of the shadow file, where
the passwords are actually stored, which is not accessable to the
users."
This was followed by another "Uh", and about 10 minutes on hold.
"Your account is gone. You looked for mountd. You visited
rootshell! It's all in your .bashrc (sic) file!" the help desk
person replied in horror, and hung up in my ear just as I was
about to say something about my $48 and lawyers.
I called back and pointed out that his system wasn't in any
danger, and that I hadn't looked at anything a techically
literate Unix person wouldn't be curious about when signing on to
a new system for the first time. I also asked him to have the
owner call me.
So far, the phone hasn't been ringing.
A number of years ago, the Eskimo Owner claimed that Eskimo North
was taken offline for a considerable period of time by hackers,
as related in the stirring saga of his adventures in...
http://www.eskimo.com/admin/hacknf.html
After my Eskimo experience, I wonder how much of the downtime was
hackers, how much was the owner's Unix security learning curve,
and how much was the fact that it took the destruction of his
system to appraise him of the fact that his backup tapes were
unreadable. :)
I really have to wonder about the clue level of people whose idea
of system security is wetting their pants when a user reads CERT
or Rootshell in Lynx. These are not the people they need to
worry about.
In any case, my three days as an Eskimo customer have been a
genuine Coke-Squirting-Out-Of-Nose-Onto-Keyboard experience, and
I hope the owner and the 3,000+ esh and pine users have a
pleasant rest of their lives grazing on the Eskimo boxen.
I still need a local dialup to the Net. Perhaps I will see about
reviving my Zipcon account. (sigh)
--
Mike Duvos $ PGP 2.6 Public Key available $
r00t@eskimo.com $ via Finger $
{Free Cypherpunk Political Prisoners Jim Bell and Toto}
