Should Dan post full details of his tty bugs?

Bharat Mediratta bharat at computing-maths.cardiff.ac.uk
Fri May 10 01:56:14 AEST 1991 

In article <26821 at adm.brl.mil> konczal at sunmgr.ncsl.nist.gov (Joe Konczal) writes:
>
>   From: bill <bill at franklin.com>
>   Date: 4 May 91 20:14:46 GMT
>
>   In article <1991May3.183159.23747 at maths.tcd.ie> 
>	   chogan at maths.tcd.ie (Christine Hogan) writes:
>   : In <4601 at skye.ed.ac.uk> richard at aiai.ed.ac.uk (Richard Tobin) writes:
>   : >For this reason I believe it would be best for Dan to post full details
>   : >of the various loopholes.
>   : I disagree.  I _don't_ have sources and I _do_ have lots
[stuff deleted]
>If Dan posted full details, those who don't have the source to their
>operating systems would still be unable to close the loopholes, but
>many other undergrads, who are not smart enough or motivated enough to
>figure it out on their own, would now know how to abuse these
>loopholes.
>
>If you really need to know the details of the loopholes Dan is talking
>about why don't you try to convince him to send them to you, instead
>of writing yet another naive, "doesn't every SA have the OS source,
>and the time and ability to fix it immediately?", message to the
>network.

Unfortunately, this whole deal is the result of something that never
should have happened.  System administrators are notably busy all the
time, whereas idle hackers usually (by definition) have a great deal
of idle time.  Who do you suppose is going to be able to react better
to a few hints, an overworked system administrator or some eager hacker?
Administrators are busy and don't want to deal with poring through
the manuals to figure out the hints than Dan has dropped in order to
patch some obscure bug with tty.  An undergrad with a lot of free time
on his hands (which is the majority, let's face it) is going to be
a lot more enthusiastic about spending a few hours with the old manuals
if it means he can find a new and intersting loophole in security.  All
that this discussion has accomplished is to weaken the security of another
thousand sites.  The correct response would have been to tell the 
people who developed the system and let them take care of it.  They know
who the authorized vendors are, and the vendors know who the authorized
system administrators are.  Sure, it'll take a while to get all the way
down to the system administrators, but at least that way the whole
USENET doesn't know about the latest security hole.  

This isn't the newsgroup for flames or for personal insults, and neither
is it the group for undermining system security.  The best thing to
do is for Dan send the fix to the developers and drop the subject.  Maybe
that way we can prevent even more people from learning the trick.

--
|  Bharat Mediratta  | JANET: bharat at cm.cf.ac.uk                               |
+--------------------+ UUNET: bharat%cm.cf.ac.uk%cunyvm.cuny.edu at uunet.uucp    |
|On a clear disk...  | uk.co: bharat%cm.cf.ac.uk%cunyvm.cuny.edu%uunet.uucp at ukc|
|you can seek forever| UUCP: ...!uunet!cunym.cuny.edu!cm.cf.ac.uk!bharat       |

More information about the Comp.unix.wizards mailing list