RE: Blast from the past
At 01:59 PM 1/27/2001 -0500, John C Klensin wrote: >"spooling" or "mail store" mail-receiving processes came later -- >in the Multics case, not much later, as it became clear that >direct-to-user-space delivery raised some security issues that no >one was happy about-- but well before SMTP. Hmmm. It occurs to me that what you have highlighted is another Internet demonstration that scaling imposes more stringent demands. However this was perhaps one of the earliest examples of social effects -- larger communities have less average trustworthiness? -- than technical ones. d/
RE: Blast from the past
--On Tuesday, 30 January, 2001 00:44 -0800 Dave Crocker <[EMAIL PROTECTED]> wrote: > Hmmm. It occurs to me that what you have highlighted is > another Internet demonstration that scaling imposes more > stringent demands. Probably > However this was perhaps one of the earliest examples of social > effects -- larger communities have less average > trustworthiness? -- than technical ones. I wasn't significantly involved in the decision (Jeff or others might remember), but keep in mind that Multics had very significant security features: either mailboxes had to be moved to an inner ring (which was eventually done) or there needed to be a spool. An essentially application process (relatively low privs as system sorts of things went) really couldn't write into a user directory in the user ring without either very funny access or a huge security hole. So, while I agree with your conclusion, I suspect the reason for this particular decision was not social, but system architecture and, with it, another conclusion we often reach: if the security model and mechanisms are designed in from the beginning, the right sorts of things tend to fall into place without horrible retrofits that almost never quite do the job. john
Wall Street Journal: DNS is not secure
Researchers Find Software Flaw Giving Hackers Key to Web Sites By TED BRIDIS Staff Reporter of THE WALL STREET JOURNAL WASHINGTON -- Computer experts discovered a flaw in widely used software that could let hackers hijack corporate and government Web sites and steal sensitive e-mail. The flaw in software that controls most of the world's Internet traffic was quickly deemed a "critical" threat. It affects a popular software known as BIND (Berkeley Internet Name Domain) that operates the Internet's equivalent of global telephone directories. Experts warned that hackers could change or delete entries in those directories at their whim, reroute Internet traffic or shut down Web sites. Researchers at the federally funded Coordination Center -- formerly known as the computer emergency response team -- said the flaw "threatens the Internet's integrity" because the BIND software is "arguably the Internet's single most important software package." The federal government also issued urgent warnings Monday to its civilian agencies. World-Wide Bug Network Associates discovers a big flaw in Internet software. The software bug allows hackers to rewrite the Internet's equivalent of telephone directories, called "domain-name servers." Any "calls" by Internet surfers made to an affected corporation would go unanswered or, at worst, be redirected to Web sites controlled by the hackers. They also could intercept and reroute e-mail sent to people at that site. The flaw affects the latest version of so-called BIND software created by the Internet Software Consortium for Unix and Linux computers used by companies. BIND is arguably the Internet's single most important software package and the flaw threatens the Internet's integrity, say experts. There haven't been any reports that hackers have exploited the flaw, but experts say tools to do so probably will start appearing on underground Web sites within days. "This is among the most serious vulnerabilities to affect the Internet," said Shawn Hernan, the center's team leader for researching computer vulnerabilities. "Web sites can be taken over, mail can be rerouted and files can go where you don't expect them to go." Consumers should watch for unexpected behavior at Web sites or for undelivered e-mail, since those might indicate activity. Experts warned, for example, that hackers could quietly redirect visitors from a bank's Web site to a mock-up that they control to steal passwords and account numbers. Major corporations and Internet providers, which typically operate name servers, were urged to quickly upgrade their software, which could take from a few minutes to about one hour. Consumers can contact their Internet-service providers to ensure repairs have been made, especially if they suspect trouble. It is impossible to say precisely how many specialized directory computers, called "domain name servers," are at risk, though experts said hundreds of thousands need to be fixed by installing the updated software. Nearly every Web site relies on name servers, which correlate easy-to-remember Web addresses to the numerical Internet addresses that Web servers actually recognize. Name servers can't be hidden or disguised because Internet browsers must know how to communicate with them to retrieve the latest address information. "There's nothing you can do really as a consumer," said Weld Pond, manager of research and development at @stake, a computer-security firm in Cambridge, Mass. "Be more suspicious where you're going, be a little more vigilant." All 13 of the Internet's most important directory computers, the "root servers" that direct the flow of the world's data traffic, were vulnerable until they were repaired quietly earlier this month, weeks before Monday's announcement. "It's not an exaggeration to say you could have turned off name resolution for sections of the Internet; to the average user that would mean no more Web, no more e-mail, no more Napster," said Jim Magdych, a security manager at Network Associates Inc., which discovered the flaw. There were no reports that hackers have yet exploited the bug, but experts expect tools to start appearing on underground Web sites within days. In one sense, Monday's disclosure was the start of a race between those trying to exploit the software flaw and companies that need to repair their computers. "Once the tools start showing up, then the 'script-kiddies' can use them," said David Conrad, chief technology officer of Nominum Inc., a contractor to the Internet Software Consortium, which distributes BIND software. "It wouldn't require any knowledge, just a canned program that somebody with knowledge had actually written." Mr. Conrad's company helped write BIND's latest version, which isn't affected by the flaw. (Script-kiddies are unsophisticated hackers who rely on malicious tools written by others with more computer skills.) Write to Ted Bridis at [EMAIL PROTECTED]
Computer-related Crime
Computer-related Crime The European Commission is participating in a number of initiatives aiming at making communications networks like the Internet safer from criminal activity. It adopted on 26.1.2001 a Communication to the Council and the European Parliament COM(2000)890) entitled Creating a Safer Information Society by Improving the Security of Information Infrastructures and Combating Computer-related Crime http://europa.eu.int/ISPO/eif/InternetPoliciesSite/Crime/crime1.html The European Commission would like to invite comments from all interested parties on the issues addressed in this Communication. Comments may be sent up to 23 March 2001 via e-mail to the following address: [EMAIL PROTECTED] Comments will in principle be published, unless the sender explicitly requests the comment not to be published. Anonymous comments will not be published. The Commission reserves the right not to publish comments it receives. The European Commission will also organise a public hearing of interested parties on the issues addressed in the Communication. This hearing will take place on 7 March 2001. Requests for an invitation to submit a statement at this hearing may be sent up to 20 February 2001 via e-mail to the following address: [EMAIL PROTECTED] The European Commission reserves the right to make a selection of parties to be heard. Any selection will be based on the number of requests and the wish to have a wide coverage of interests. -
Re: Computer-related Crime
as a european, i feel i have to be first to respond with: "We're the government and we're here to help" having said that, there's some useful references in yr. document for those of you out there in ietf land without brit TV access ,yo umight be amused to track down the Mark Thomas Product's expose of the CEC's rather dubious track record on public access to information/policy http://www.channel4.com/mark_thomas/ and compare it with some policies in the US and other places that any valid/effective/non-pointless cybercrime policy must be consistent with... i suggest someone setup a web site or list to accumulate ALL responses that people want to make public otherwise you may never see them again:-) it would also be most encouraging if the CEC were to actually use some sort of secure email for the opposite requirement (folks that want their responses provably private) In message <91A2F218314CD4119566009027CA36EA0203ED45@ex2beimcombx04>, Gordon.Le [EMAIL PROTECTED] typed: >>Computer-related Crime >> >>The European Commission is participating in a number of initiatives aiming >>at making communications networks like the Internet safer from criminal >>activity. >> >>It adopted on 26.1.2001 a Communication to the Council and the European >>Parliament COM(2000)890) entitled Creating a Safer Information Society by >>Improving the Security of Information Infrastructures and Combating >>Computer-related Crime >> >>http://europa.eu.int/ISPO/eif/InternetPoliciesSite/Crime/crime1.html >> >>The European Commission would like to invite comments from all interested >>parties on the issues addressed in this Communication. Comments may be sent >>up to 23 March 2001 via e-mail to the following address: >> >>[EMAIL PROTECTED] >> >>Comments will in principle be published, unless the sender explicitly >>requests the comment not to be published. Anonymous comments will not be >>published. The Commission reserves the right not to publish comments it >>receives. >> >>The European Commission will also organise a public hearing of interested >>parties on the issues addressed in the Communication. This hearing will take >>place on 7 March 2001. Requests for an invitation to submit a statement at >>this hearing may be sent up to 20 February 2001 via e-mail to the following >>address: >> >>[EMAIL PROTECTED] >> >>The European Commission reserves the right to make a selection of parties to >>be heard. Any selection will be based on the number of requests and the wish >>to have a wide coverage of interests. >> >>- >> >> cheers jon
