BSD tty security, part 4: What You Can Look Forward To

Dave Hayes dave at jato.jpl.nasa.gov
Thu May 2 09:52:18 AEST 1991 

wrwalke at rsi.UUCP (William Walker) writes:

>In article <1991Apr30.224235.2459 at jato.jpl.nasa.gov>, dave at jato.jpl.nasa.gov (Dave Hayes) writes:
>> I see what you are saying, but I have to disagree. Why has Dan even POSTED
>> that such holes exist, if he is not willing to disclose the details to
>> us system admins that are going to be of necessity interested in the problem?
>     ^^^^^^^^^^^^^
>ok, so you *are* a system admin with a legit need to know.  so what's the big
>deal with sending him a set of references??

I did. That didn't seem to help matters much. He claims I have no
legitimate reason to know. My paycheck claims differently. 

>do you want every bored CS major between here and australia finding out 
>about those holes a week or so before you get your patch tapes from the 
>vendor?

What patch tapes from the vendor? We'll be damn lucky to see patches from
vendors in 1995! I don't trust vendors any farther than I can throw them,
see my previous stuff in comp.sys.apollo for a good example of that (about
the time of the HP buyout). 

They have no incentive to fix these holes...yet. In that sense it would be
good for a few bored CS majors to get into it on the net...that'd make
everybody wake up and smell the coffee. 

>so what do you do if you find a nifty little bug??  you tell the vendor 
>and CERT, CERT makes it known to it's brain/talent trust, contacts the
>vendor who says "BFD".  what about the guy *without* source??  how is
>he ever going to get the hole patched?  unless the customers pressure
>the vendor, 

Which rarely works anyway. What are you trying to say here?

>NO changes will ever be made unless it is the old "fixed
>in the next release" line, send us a check....  this "approval" arrangement
>also sounds kinda hokey to me, but i can't think of a better medium
>between leaving gaping holes under the carpet and posting potentially
>dangerous code on a public forum accessible to thousands of bored hacker 
>wannabe's.

I don't know that posting the details of these hacks wouldn't do all of
us a lot of good...

These "approval" arrangements are always hokey. I personally believe 
that this behaivor is something left over from childhood...8)

It's a cooperative universe. I help people all the time...if I was in
the same position, I'd want every other sysadmin to know exactly what
was broken and how to fix it (not just the latter). 

And that's my $2e-02. 
-- 
Dave Hayes - Network & Communications Engineering - JPL / NASA - Pasadena CA
dave at elxr.jpl.nasa.gov       dave at jato.jpl.nasa.gov           ames!elroy!dxh

          You possess only what will not be lost in a shipwreck.

More information about the Comp.unix.wizards mailing list