[Cryptography] Will We Ever Learn?

metzdowd at bikkel.org metzdowd at bikkel.org
Thu Apr 19 07:17:33 EDT 2018 

On Wed, Apr 18, 2018 at 07:03:37PM -0700, Phillip Hallam-Baker wrote:
> Date: Wed, 18 Apr 2018 19:03:37 -0700
> From: Phillip Hallam-Baker <phill at hallambaker.com>
> To: "Shawn K. Quinn" <skquinn at rushpost.com>
> Cc: Cryptography Mailing List <cryptography at metzdowd.com>
> Subject: Re: [Cryptography] Will We Ever Learn?
> Return-Path: <cryptography-bounces 
> 
>    On Mon, Apr 16, 2018 at 5:00 AM, Shawn K. Quinn
>    <[1]skquinn at rushpost.com> wrote:
> 
>      On 04/13/2018 08:01 PM, Ryan Carboni wrote:
>      > The Morris worm was in 1988. That's all you need to know about
>      what is
>      > really going on with internet security.
>      > Â A worm crashed the internet, and everyone's response is to do
>      nothing.
>      > That wasn't 2017, that was 1988.
>      Notice how you had to call it the Morris worm?
>      Before Microsoft Windows was internet capable, it was simply called
>      The
>      Internet Worm. As in, the one, singular. Now, you have to call it
>      the
>      Morris worm to differentiate it from all the Windows worms that have
>      come since.
> 
>    âNot because it was the only one to be launched, because it was the one
>    that brought the Internet down. There was also the Wang Worm and we had
>    numerous breaches of Internet facing machines due to Sendmail
>    vulnerabilities.Â
>    âFor years, UNIX systems eschewed shadow password files as 'security
>    through obscurity' until Crack appeared and suddenly having a world
>    readable password file was a bad idea.
>    Windows was not conceived as a multi-user or a network OS. So it is
>    hardly surprising that the effect of adding it to a network was
>    interesting. Windows NT was designed as a network OS but it was only
>    when the Vista switchover occurred that the desktop OS moved to a fully
>    NT based security scheme and that transition was resisted by many lazy
>    admins who found the security got in the way of their work and it was
>    easier to tell users they didn't want Vista than deploy it.
>    What has changed since is that the Internet is no longer just one
>    network, it is all networks.
>    Â
> 

We did learn (partly). Everybody who was sane decided that the whole id of a 
bloated suid sendmail binary (also deamon) was a spectaculair bad idea, and
jumped on board Wietse Venema's Postfix (the MTA that was explicitly written
to be a secure, sane, save replacement of sendmail (some people choose DJB's
Qmail, which is also ok, but Bernstein's attitude complicated things). 

Then there were people that didn't learn, and although they choose a 
replacement, they choose something with exactly the same bad design (Exim).

So, yes .. the people that where affected *did* (mostly) learn from the 
Morris worm.

Same story with BIND (although BIND is not so crappy as Sendmail was).

The Windows world was a bit later, because Windows Sysops are more likely
to be sheep that will run anything as long as it's made by MS, no matter 
how often they get burned (IIS). (To be honest: Windows sysops know that 
they are payed to run and maintain MS products, not to make sure that the
best choise for the organisation is made. That choice was made by upper 
management).

More information about the cryptography mailing list