tty security problems under SunOS 4.1 and SunOS 4.1.1

Dave Hayes dave at jato.jpl.nasa.gov
Sat May 18 04:15:54 AEST 1991 

jim at segue.segue.com (Jim Balter) writes:
>Dan appears to have offered what he believes to be a comprehensive solution,
>and as simple as he thinks he can make it.  ("Make things as simple as
>possible, but no simpler." -- Al E.) 

That maybe how it appears to you.  I certainly don't know how it appeared
to the vendors. I can only suspect that it appeared too complex and 
convoluted to vendors who would not listen....either that or the
information is presented in a hostile way.

Nevertheless Dan did ask a question. ("Why do people think this way") 
I merely answered. That's more than he's done for me.  

> The one jumping up and down is you.

Damn straight. I have no problems jumping up and down about what is 
going on with disemmination of security infomration..and not just 
Dan's personal problem with being helpful (as opposed to determining 
what help everybody needs). I get paid to jump up and down about this 
stuff. I don't mind it one bit. 

>>After all...coming up with break code doesn't really help you come up 
>>with a fix now, does it?
>Nor does posting it all over the net, now, does it?

I'd be willing to wager a large amount of money that posting code over the net
would produce a fix MUCH FASTER then coming up with the code. 

>Dan provides a solution but doesn't provide the break code.  Ed Carp and
>you and a bunch of others yell and scream in a most insulting, rude, impolite
>and uninformed manner at Dan. 

Now think for a second. Why do you think that we feel the way we do? Note the
common thread in the people who scream a lot (and I have a *BIG* mouth when
I want to have one)...we all have a legitimate interest in any security problems
over the internet. Dan, in all his holy infinite wisdom, has created an effect
on us by posting enough information to produce more crackers but not enough to
allow us to deal with them. Fortunately there are other members of the community
here that have more consideration and less ego who are willing to help, but IMHO
there's no excuse for Dan's behavior...and he shoudl EXPECT the rudeness (in fact
I believe he revels in it). 

> Now you say that he should offer a solution but not come up with break code.
> Go figger.

You should. I was commenting upon his effort to break SunOS 4.1/4.1.1; trying to
figure what that would get him. It was also a very sarcastic comment.  

>As I see it, a bunch of non-wizardly sys admins are trying to disrupt a
>technical discussion about tty security problems and how to fix them,

Boy this sounds elitist. I guess us humans do need to demonstrate their superiority
over others time and time again...it's a fact of human nature.

>with demands that some code that demonstrates the problem be posted so that
>they can "understand the problem" and then go hack and slash or whatever
>in order to "fix" the problem.  This is simply not a competent approach
>toward problem solving.  

It is also incompetant to post details of the problem if you aren't willing
to post fixes/solutions and a description of the problem. I personally believe
that security by obscurity isn't (what a time worn phrase), but if you believe
different...then WHY POST ANYTHING AT ALL. Anything else is blatant and obnoxious
hypocracy. 

If you aren't competent (meaning possessing required
>knowledge and skills; nothing pejorative) to understand the problem from
>the discussion so far, what can possibly make you think that you are competent
>to solve the problem based upon the program that breaks the system?

This is an assumption about the way people think. I guarantee you that there exists
someone out there who couldn't understand the conceptual details until you
showed them some code. Interestingly enough, there is a musician who I am teaching
who doesn't understand a whit about altered dominant scales on paper, but when I played
them for him he immediately understood. 

Please cut the rest of humanity some slack. There are a LOT of different types of people
out here. 
-- 
Dave Hayes - Network & Communications Engineering - JPL / NASA - Pasadena CA
dave at elxr.jpl.nasa.gov       dave at jato.jpl.nasa.gov           ames!elroy!dxh

            Think enough and you won't know anything!

More information about the Comp.unix.wizards mailing list