[1757] in SIPB_Linux_Development
Re: breakin report - sniffer running in 18.242.*
daemon@ATHENA.MIT.EDU (Edwin Foo)
Tue Aug 19 05:30:59 1997
Date: Tue, 19 Aug 1997 05:32:00 -0400
To: Emil Sit <sit@MIT.EDU>
From: Edwin Foo <efoo@MIT.EDU>
Cc: net-security@MIT.EDU, stopit@MIT.EDU, linux-dev@MIT.EDU, kvlee@MIT.EDU,
goblin@MIT.EDU, fubob@MIT.EDU, bdrosen@MIT.EDU
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>I'm not entirely clear on why linux-dev was included in this mailing.
>I'll make some sort of linux-dev response in a sec. I should mention that
>linux-dev is a publicly readable list, archived in discuss, available on
>the web. While news of this particular incident needs to be broadcast,
>everyone should be advised not to disclose any sensitive information
>while linux-dev is included on the recipient list. As a personal
>request, in the event that linux-dev is taken out of the loop, I'd like
>to be kept informed as to what's going on. That out of the way...
Yup, I realize that linux-dev is public -- that's why I have not sent the
list of compromised accounts and passwords. :).
The reason I cced: to linux-dev originally was actually a suggestion of
fubob and bdrosen; I hadn't thought of it myself. fubob's original email
was kind of a start though.
>Unfortunately, linux-dev no longer supports Slackware in any way shape
>or form. When we introduced RedHat-Athena last year, we encouraged
>....
>netusers mentioning this problem.
Right. I've already done the same notification to people on my own login
list. I "talk"ed with the hacker today, actually. I traced him down while
he was trying again to log into my machine and get root using one of the
stolen accounts before he caught up and logged off. A little while later he
talk requested me from an account at columbia.edu (probably stolen too). In
my little 5 minute chat with him I gathered that this guy already has the
other passwords and intends to use them. Unfortunately, that leaves pretty
much all redhat machines open, as well as slackware, so long as they accept
kerberos logins. What bothers me is that there's plenty of Redhat 3.0.3
machines still out there, probably with known holes like the perl suid bug
or something.
I'll be creating a big long list of all the known compromised usernames
tomorrow (I'm deleting the passwords because simply possessing them gives
me the creeps and is probably illegal anyway). As a RCC I probably am the
one obligated to make the announcement, at least for the dorms, so I'll do
so, but I will certainly run the draft by the rest of the list for
comments. If anyone wants a list of the affected usernames, they should
contact me personally and arrange for me to physically transfer a paper
copy to them once they give me a good reason why they should have this list.
>And, on an semi related note, I've personally never found escape to be
>too helpful, but I haven't really dealt with them since 1995.
Yeah, they stink. Response from them has been rather lax, and I've
pretty much given up. The hacker even said so himself; he has
apparently been getting a free ride off of them for quite a while.
- -Edwin
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQA/AwUBM/lmoo2Nscf5yyE6EQIpRACfU/gMoJKhubjWNJlEio9JHOZ61ZkAoNji
2CDnHWwGyRDEfPk/yU4p4JR1
=lOyN
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
The FooBunny | MIT Computer Science '98 - Systems and Architecture
efoo@mit.edu | DEC Cambridge Research Lab - Parallel Computing Group
(617) 225-8826 | Residential Computing Consultant (RCC) - New House
"Love must be sincere; Hate what is evil; cling to what is good."
- Romans 12:9 <><
------------------------------------------------------------------------
