BSD tty security, part 4: What You Can Look Forward To

[Tom Neff]

In article <11974:May214:00:3691 at kramden.acf.nyu.edu> brnstnd at kramden.acf.nyu.edu (Dan Bernstein) writes:
>                       I again invite you and everyone else to stop
>spouting the same tired old rhetoric and start paying attention to this
>case on its own merits.

I suggest this invitation would not have been needed if 'brnstnd' had
been somewhat more professional in his original announcement.  I can't
be the only one who found it a bit annoying.

If we really want to help the net, we should remember it's made up of
*people* who will have human reactions to what they read.  It is, for
instance, pretty easy to apply 'need to know' criteria when people ask
for bug details, without going out of your way to trumpet the fact
beforehand and p*** people off unnecessarily in the process.

It's also a good idea to try and keep factual discussions of specific
security problems separate from editorializing about who ought to know
what, when, etc.  There's already too much of a tendency to combine
these threads in ordinary followups.  A new, primary posting that
deliberately combines security facts and editorializing is guaranteed to
fan the flames!  And my point is that experienced posters can and should
know this up front.  It's a question of how you want the discussion to
proceed.  If you WANT to start a brawl, it's not hard to do.  I don't
think the net is best served that way.

In this case it would probably have been enough to say "I seem to have
found a security bug in BSD ttys; the following vendors and versions are
known to be affected; the following are known to be OK; for further
details mail me at <address>."  No big fuss, no cause celebre, just
quiet, effective response.