Open Access to Security Info

[CDC Contractor Bob Johnson;SCSS;]

Ok, enuf already!  I've paged through (seemingly) megabytes of information,
blathering, lambasting, bickering, obscenity, arguing, and pontificating
about a certain tty security hole.  If you're not smart enough to figure it
out by now from the clues, then you shouldn't be jumping up and down on this
list.  If you don't have time, then welcome to the world of "having a real
job".  There is a large body of system administrators (myself included) who
just don't have the time to mess with finding a hole they don't have the 
source code to fix.  What we need is a "bell for the cat" to know if someone
is abusing the hole, and some common-sense "rules of thumb" to cut down on 
the opportunity for abuse.  Unfortunately, this particular hole doesn't lend
itself to monitoring very well.  I could just as well spend my time worrying 
about being hit by a meteorite - it would do me about as much good.

Now -- to the few who believe that the world has a right to any and all  
information about security holes, and who have knocked various "restricted"
security lists...  If you truly believe the world at large has the right to
know - why not start your own "Security Issues" list and accept all comers?
You can sign me up as the first person on the list.  The way I see it, if a 
person is inclined to system cracking, they are going to find the holes one 
way or another.  We might as well be privy to the same info.  Why should 
only crooks have guns?  Just be careful of the Computer Fraud and Abuse Act
of 1987, which makes it a felony to tell someone how to crack a system ;-).

But, more than anything (IMHO), if you're not willing to do something
constructive, then..... QWITCHERBITCHIN!
------------------------------------------------------------------------------
Bob Johnson, Control Data Corporation (contractor to...)
Tinker Air Force Base, Oklahoma
robjohn at logdis1.oc.aflc.af.mil