BSD tty security, part 4: What You Can Look Forward To

[Steve Simmons]

smb at ulysses.att.com (Steven Bellovin) writes:
>Another answer is to tell vendors and CERT.  This is a favorite of
>folks who don't like the first answer.  He's tried that; according to
>his earlier postings, some vendors, at least, aren't interested.

kdenning at pcserver2.naitc.com (Karl Denninger) writes:

>Neither was Interactive with their u_area bug (it was world-writable!) 
>until someone posted code which exploited the bug.  CERT wasn't even
>interested (I guess they consider ISC's offering not to be of any
>importance).  I am on the CERT list -- there was no notice of that 
>problem at all.

Some CERT person may correct me, but I believe that CERT only
makes public announcements when a fix or workaround is already
available.
-- 
 "FACT: less than 10% of the psychiatrists in the US are actually
  practicing cannibals."  Rod Johnson