Dan Farmer's vacation message
From: Karen Pichnarczyk
Date: Fri, 17 Mar 95 16:18:40 PST
Subject: Dan Farmer's vacation msg re: SATAN
Dan just updated his vacation message to his account on fish. I'm
posting it here so that he doesn't have 10 zillion messages in his
inbox when he decides to read mail again. You'd get the same msg if
you sent him mail. I edited out his account name because if you don't
already know it, then you don't need to.
> From [Dan's account] Fri Mar 17 16:11 PST 1995
> Date: Fri, 17 Mar 1995 16:15:14 -0800
> Message-Id: <199503180015.QAA06845@fish.com>
> To: email@example.com
> From: [Dan's account] (via software automation)
> Subject: away from my mail
> I will probably not be reading your mail for a while; I've got to
> release SATAN (don't ask if you don't know) in a few weeks (release date
> is april 5th.) Your mail will be read when I get back to my real life.
> T'care -
> -- d
> (no, we don't need any further alpha or beta testers, either. However,
> bribes of software or hardware from cool manufacturers or very good
> desserts will be carefully consumed and considered in this decision.)
> On April 5th the real thing will go out. I'll
> post copiously where it'll be. If you want to volunteer
> your MASSIVE ftp site, let me know.
> Here are some of the current volunteers/locations:
> (My coauthor put this out)
> Subject: SATAN release schedule
> Here's the release schedule for the SATAN (Security Administrator Tool
> for Analyzing Networks) tool. Below is a summary of what it is about.
> February 24
> alpha release to selected expert sites
> March 15, 16:00 MET
> beta release to selected major sites
> documentation release to the public
> April 5, 16:00 MET
> first release to the public.
> Mirror site offers are welcome.
> Wietse Venema / Dan Farmer
> SATAN was written because we realized that computer systems are
> becoming more and more dependent on the network, and at the same
> becoming more and more vulnerable to attack via that same network.
> The rationale for SATAN is given in a paper posted in december 1993
> (ftp.win.tue.nl:/pub/security/admin-guide-to-cracking.101.Z, flat text
> compressed with the UNIX compress command).
> SATAN is a tool to help systems administrators. It recognizes several
> common networking-related security problems, and reports the problems
> without actually exploiting them.
> For each type or problem found, SATAN offers a tutorial that explains
> the problem and what its impact could be. The tutorial also explains
> what can be done about the problem: correct an error in a configuration
> file, install a bugfix from the vendor, use other means to restrict
> access, or simply disable service.
> SATAN collects information that is available to everyone on with access
> to the network. With a properly-configured firewall in place, that
> should be near-zero information for outsiders.
> We have done some limited research with SATAN. Our finding is that on
> networks with more than a few dozen systems, SATAN will inevitably find
> problems. Here's the current problem list:
> NFS file systems exported to arbitrary hosts
> NFS file systems exported to unprivileged programs
> NFS file systems exported via the portmapper
> NIS password file access from arbitrary hosts
> Old (i.e. before 8.6.10) sendmail versions
> REXD access from arbitrary hosts
> X server access control disabled
> arbitrary files accessible via TFTP
> remote shell access from arbitrary hosts
> writable anonymous FTP home directory
> These are well-known problems. They have been subject of CERT, CIAC, or
> other advisories, or are described extensively in practical security
> handbooks. The problems have been exploited by the intruder community
> for a long time.
> We realize that SATAN is a two-edged sword - like many tools, it can be
> used for good and for evil purposes. We also realize that intruders
> (including wannabees) have much more capable (read intrusive) tools
> than offered with SATAN. We have those tools, too, but giving them
> away to the world at large is not the goal of the SATAN project.