On Sat, 22 Feb 2003, William Allen Simpson wrote:
I see. So you're still filtering port 25 from the Morris sendmail worm.
Funny thing, I was a researcher visiting at Cornell, and had just left in the car for the 9.5 hour drive home when it struck. I've often wished I'd stuck around for a few more hours for the excitement.
Anyway, we didn't need to put in a long term block, as everyone took down their systems and cleaned them. I didn't even find out about the problem until over a day later, by which time it was long gone.
Ah, the days when we all cooperated....
In 1988 we had ad-hoc responses, with people posting to various USENET newsgroups or some mailing lists still working, about what they were seeing and how to fix it. There was no CERT, BBN (and others) disconnected from the net (and took many people downstream with them), even though most people knew each other they didn't all have alternate contact information, and most of the methods the Morris worm used in 1988 are still being used *effectively* today. 1) Backdoor in SENDMAIL 2) Buffer overflow in Fingerd 3) Password guessing in Rsh/Rexec Some people blocked the ports used. Some people still block ports such as Finger (79) and rsh/rexec (513/514). But generally ports were blocked by the local institution, not on the ARPANET. The version numbers change, the executables change, but the basic problems haven't changed in 30 years. We still have backdoors, buffer overflows and pasword guessing. We still have ad-hoc response by people sharing solutions on mailing lists. The people who cut themselves off from the open process are still slower to get stuff fixed. And we still have weak methods for contacting people through alternate methods. I wish it was as easy as paying a managed security company to watch out for me. But unfortunately, paying several thousand dollars for the privilege of getting "confidential alerts" which look amazingly similar to what I wrote on a public mailing list a few hours earlier is a bit silly.