tty security problems under SunOS 4.1 and SunOS 4.1.1

Dave Hayes dave at jato.jpl.nasa.gov
Wed May 15 04:45:06 AEST 1991 

brnstnd at kramden.acf.nyu.edu (Dan Bernstein) writes:

>However, the bugs are not fixed. I was able to adapt my breaking
>program---still using the same holes that I posted some years back---to
>SunOS 4.1 and 4.1.1, both with and without the new telnetd/rlogind.
>Mitch Wright has agreed to be a reference for this. I believe the new
>version will also survive ``uncover''.

Great. Thanks for your support. *sigh*

I dunno why, but I am beginning to enjoy bashing you. However there
does come a time to be a bit less frivolous.

(WARNING: Slight meta-psychological digression here.) You asked: 

>Why do people think this way? What is so difficult about logic and
>common sense that they have to be replaced by testing? You can't play
>around with security---and given how easy it is to *guarantee* that a
>mechanism is secure, there's no reason to play around.

Yes, people ARE different aren't they? Have you ever considered that
these people can't fix something they don't understand? Let's take
this further...do you think that they'd ever WANT to understand when
the information is presented in a negative way?

Have you ever observed that when you tell a person outright that
they are wrong...that they start to get even MORE wrong and MORE 
illogical and extremely nonsensical? Have you ever noticed that this
phenomena also occurs when remarks about intelligence are made, or
insinuations about stupidity are made?

You know, I'll level with you. For all my negative remarks that I
make about you (and still feel like making)...I realize (in my own folly) 
that because of this you won't listen to a word I say...it doesn't matter
whether or not my remarks make sense. 

Now look at these two paragraphs:

>Sun's patched telnetd and rlogind do stop one program. That's good. But
>the CERT announcement implies that the patches are a ``SOLUTION'' to the
>entire vulnerability of the tty subsystem. That's absolutely wrong. The
>documentation inside Sun's patched source claims that the new versions
>will detect whenever a tty is open. That's absolutely wrong too.

>I hope the SunOS 4.1.1 example gives people a healthy level of distrust
>for vendors' claims that a hole has been fixed. Sun---that's right,
>powerful vendor Sun---was told about a security-breaking program, did
>manage to stop that program, and then didn't look before it leaped into
>the claim that the problem was now completely solved.

Can you see how this applies to vendors? Sure, they resist making changes
and I've had some pretty bad experiences with them. Why? Because we give
them so much flak about these things. (I'm no exception) 

It's no wonder that they resist some guy who has nothing better to do than
find out what they did wrong. Humans spend 80% of their lives pointing out
others mistakes...if we spent half that time learning to correct them we'd
probably be in a better place than we are now.

SO when you ask "Why do people...", you might consider what effect you
have had on them first. Perhaps in the case of the wayward vendors,
you might offer them a comprehensive and SIMPLE solution to this problem,
instead of just jumping up and down and pointing out the mistake.

After all...coming up with break code doesn't really help you come up 
with a fix now, does it?
-- 
Dave Hayes - Network & Communications Engineering - JPL / NASA - Pasadena CA
dave at elxr.jpl.nasa.gov       dave at jato.jpl.nasa.gov           ames!elroy!dxh

   "It is a dragon, destroyer of all," cried the ants. 
                                   Then a cat caught the lizard.

More information about the Comp.unix.wizards mailing list