From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: *
X-Spam-Status: No, score=1.7 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED,
	LOTS_OF_MONEY,MAILING_LIST_MULTI,MONEY_NOHTML autolearn=no
	autolearn_force=no version=3.4.4
Received: (qmail 5818 invoked from network); 20 Sep 2021 14:56:34 -0000
Received: from minnie.tuhs.org (45.79.103.53)
  by inbox.vuxu.org with ESMTPUTF8; 20 Sep 2021 14:56:34 -0000
Received: by minnie.tuhs.org (Postfix, from userid 112)
	id 9C7F29CA30; Tue, 21 Sep 2021 00:56:33 +1000 (AEST)
Received: from minnie.tuhs.org (localhost [127.0.0.1])
	by minnie.tuhs.org (Postfix) with ESMTP id 13CA69C8E7;
	Tue, 21 Sep 2021 00:56:10 +1000 (AEST)
Authentication-Results: minnie.tuhs.org;
	dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=ronnatalie.com header.i=@ronnatalie.com header.b="COGw9/ql";
	dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=messagingengine.com header.i=@messagingengine.com header.b="Dtab5Eug";
	dkim-atps=neutral
Received: by minnie.tuhs.org (Postfix, from userid 112)
 id 840E79C8E7; Tue, 21 Sep 2021 00:56:08 +1000 (AEST)
X-Greylist: delayed 457 seconds by postgrey-1.36 at minnie.tuhs.org;
 Tue, 21 Sep 2021 00:56:04 AEST
Received: from wout2-smtp.messagingengine.com (wout2-smtp.messagingengine.com
 [64.147.123.25])
 by minnie.tuhs.org (Postfix) with ESMTPS id C907F9C8DB
 for <tuhs@minnie.tuhs.org>; Tue, 21 Sep 2021 00:56:04 +1000 (AEST)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43])
 by mailout.west.internal (Postfix) with ESMTP id E13453200973
 for <tuhs@minnie.tuhs.org>; Mon, 20 Sep 2021 10:48:26 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
 by compute3.internal (MEProxy); Mon, 20 Sep 2021 10:48:27 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ronnatalie.com;
 h=from:to:subject:date:message-id:in-reply-to:references
 :reply-to:mime-version:content-type:content-transfer-encoding;
 s=fm1; bh=6KIIzmV3yQMsrxo2Z12fA/jAPTQ5ns8123Md+MIFXu4=; b=COGw9
 /qlX2WwvL7Yh/Jw4A7jWcJZJzmRF4zaTmsgb4d+/xnRRsQdKkUNnRDOAdzZYSUa8
 ZA3wRXB5DGxpdWXkm87HdA9fGb32tuK7ojW1Mc+OrSIckEg6qMSKWNoPNj8nyKU0
 eciGLXRJ7Ix8Bo500lULu9bKdJwK35djxz+8yrq0hZsyR9HkXG7aBRpC/r44b8nY
 Azlu/sMiiArQ8LmGcGr/ZWKH6GbXBRqp6Ni5DOPUBKLTyAmMgTcSiSxiCqSuG7kj
 KKNCpxL1rH4mA6xfwmEzv5OENXsC/WGrOVCr2kTIGUNTE4Jt5d0LSfNJ7nNMtFMe
 TxbrQ8ysibBjmZOYA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-transfer-encoding:content-type
 :date:from:in-reply-to:message-id:mime-version:references
 :reply-to:subject:to:x-me-proxy:x-me-proxy:x-me-sender
 :x-me-sender:x-sasl-enc; s=fm3; bh=6KIIzmV3yQMsrxo2Z12fA/jAPTQ5n
 s8123Md+MIFXu4=; b=Dtab5Eug/IzO3YgASYPyVoPSJWCA1ryFXV1cem+U2XwIV
 nk8UCtmx/+K4lXdcSXFbvCbgeedTB0gZ8mZx5CfQ6r1tEjc74UKclhPrj1k92WcM
 iDjZY1W4OVX/8B1ZuzKBizup09IO6Ua3xSWUhIBFqZkKq9V7G8EwxUJ1oclR+d3N
 R6REhQA1Azqwy1zjky3StEv9mbxGToGwbGPVwSGkgEpDzzkv+EJYM4aTRH54BBML
 w0Wj+OUeVmtV0rPxHbtsuC2QYRD4aIS/z9dqosDTGo0oIvkiKGYRSGyd73QAnHUj
 cSVMfjCXedBlOPRNGTd8gkac83ad9K/Qa65lg104g==
X-ME-Sender: <xms:Op9IYXB8LptPNPRRxwBiq0jX3yfAPnLPNlu_SYpQMlDehZFK-wWccA>
 <xme:Op9IYdi3zfWT3DPSj2lr5YBiZz5NGz-mijwT-RH-Ga8n_tgExHDelWKxzGuCaYm1d
 yW36TBk51G2vInJiG0>
X-ME-Received: <xmr:Op9IYSmvQz6N_HnydwEhvaRNQYRXRfj9ai5j7MSXX4sfmUd1aDeg0NzDyRQU7LcioEI>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvtddrudeivddgkedtucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne
 cujfgurhephffvufffkfgjfhhrfgggtgfgsehtqhertddtreejnecuhfhrohhmpedftfho
 nhcupfgrthgrlhhivgdfuceorhhonhesrhhonhhnrghtrghlihgvrdgtohhmqeenucggtf
 frrghtthgvrhhnpeffudetveetffeutefhleelvddtfefhkefhvdfghedujeevieejkedv
 vddtjeevgeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhroh
 hmpehrohhnsehrohhnnhgrthgrlhhivgdrtghomh
X-ME-Proxy: <xmx:Op9IYZzW357NiG5WGk3MeX0t0YDZxqEbuq_qU32tF1U0LgeEfYRu3A>
 <xmx:Op9IYcRMMhzG9A9-O_y4ZSh2TgLkF4qTi43URqWhZAluGOYn5_H9_Q>
 <xmx:Op9IYcZj-W9iMxqr2VRKKBqUHCYzqzXrwshfbJ8VWDdY6TKdfbIiHw>
 <xmx:Op9IYbMNsJ4GBrrEY5CFIhhG1UFbdAo-R-ea2HwDYHfKaQAMNIyJ5Q>
Received: by mail.messagingengine.com (Postfix) with ESMTPA for
 <tuhs@minnie.tuhs.org>; Mon, 20 Sep 2021 10:48:26 -0400 (EDT)
From: "Ron Natalie" <ron@ronnatalie.com>
To: "TUHS main list" <tuhs@minnie.tuhs.org>
Date: Mon, 20 Sep 2021 14:48:25 +0000
Message-Id: <em2cf6e0f0-5d63-45d8-b949-17c208c08899@alien>
In-Reply-To: <CAKH6PiVEHTfmdpz2iPwm1oSoL2r15WGfEU6xAdE60wq0xubWfw@mail.gmail.com>
References: <CAKH6PiVEHTfmdpz2iPwm1oSoL2r15WGfEU6xAdE60wq0xubWfw@mail.gmail.com>
User-Agent: eM_Client/8.2.1473.0
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable
Subject: [TUHS] On UNIX Trojans
X-BeenThere: tuhs@minnie.tuhs.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: The Unix Heritage Society mailing list <tuhs.minnie.tuhs.org>
List-Unsubscribe: <https://minnie.tuhs.org/cgi-bin/mailman/options/tuhs>,
 <mailto:tuhs-request@minnie.tuhs.org?subject=unsubscribe>
List-Archive: <http://minnie.tuhs.org/pipermail/tuhs/>
List-Post: <mailto:tuhs@minnie.tuhs.org>
List-Help: <mailto:tuhs-request@minnie.tuhs.org?subject=help>
List-Subscribe: <https://minnie.tuhs.org/cgi-bin/mailman/listinfo/tuhs>,
 <mailto:tuhs-request@minnie.tuhs.org?subject=subscribe>
Reply-To: Ron Natalie <ron@ronnatalie.com>
Errors-To: tuhs-bounces@minnie.tuhs.org
Sender: "TUHS" <tuhs-bounces@minnie.tuhs.org>

I have to say my experience in UNIX systems programming was due to the=20
discovery of a trojan.   It also shaped my research into security on=20
UNIX and other systems over the coming decades.

At the time, the UNIX system at Johns Hopkins University (there was only=20
one) in the EE department was run by an undergraduate activity called=20
the "University Computing Society."    This bunch, headed by Mike Muuss=20
and another covered all aspects of running the computer:  programming,=20
operations, hardware, and documentation support.    I was just a loose=20
hangar on at the time, writing my first C programs and the like.

A couple of student operators managed to get access to what would be the=20
installed copy of /lib/crt0.o (the small snippet inserted at the=20
beginning of all C programs).   They inserted a couple of bytes that did=20
an exec of a file "^V" (current directory) and then waited.   Most of=20
the time, this is a harmless change as there is no ^V file in the=20
current directory.    Then, one day they hit the jackpot and a setuid=20
root program got rebuilt and now they had a way of getting a root shell=20
easily.

This went largely undetected as they used it for quasi-productive uses=20
for a while.   One day one of the other programmers was rebuilding a=20
program and noticed the few byte increase in size (back then we were=20
running the system on a grand total of 8.5MB so every byte was=20
precious).   Subsequent analysis of what changed revealed the trojan.   =20
This led to an upheaval in the department and the end of the UCS.   They=20
did decide to keep the cheap student labor however, and since I had kept=20
my nose clean and had some extensive, albeit, non-UNIX programming=20
experience, I was brought on board.    I spent the next three and a half=20
years looking for and plugging security holes.

I went on (after a brief stint at Martin Marietta) to work for Mike at=20
Aberdeen Proving Ground and continued doing random security work=20
including being put on the Army's initial tiger team effort.    Also,=20
there used to be a discussion in the security groups about what a=20
"hacker with a Cray" could do for things about brute forcing decryption.=20
    I was given use of the new X/MP the Army bought to see if that was a=20
feasibility.    I later got to purchase a $25 million Cray 2, but left=20
BRL for Rutgers before that was delivered.