BSD tty security

Dave Hayes dave at jato.jpl.nasa.gov
Tue May 14 08:39:42 AEST 1991 

protin at pica.army.mil (Arthur W. Protin Jr.) writes:

>    I am getting very tired of the foolishness, personal attacks, and
>(seeming) evilness going on in this thread on tty security. 

Yes, and I am getting tired of the lack of cooperation and mistrust
going on in this community. It still exists, and I'll still complain
about it but that ain't goin t'make it go away...dammit. 8)

>    THE CODE THAT DAN IS WITH HOLDING IS THE CODE THAT EXPLOITS THE
>SECURITY BUG.  It is not needed to fix the code.  It is useful for
>testing the fixes.

It is useful indeed. My point (and I don't know who else agrees with
me) is that not only is this code needed to assert the validity of
any said fixes, but the code (or pseudo code) is needed to understand
the hole. A logical case can be made for security holes to be exposed;
good security is not based upon obscurity.  

>System administrators don't need to deal with the hints!  Follow
>the recipe. 

Do you trust someone who doesn't trust you? Please answer honestly,
now. Personally, and professionally, I do not.  

I find it extremely difficult to trust someone else's fixes when they
not only distrust me, but I have little or no understanding of exactly
what needs to be fixed and why. 

>(for at least a significant set of machines).  If you can not work
>from his plan, you will not be able to anything more with the details
>except exploit the bug!

I disagree completely. If you have the details, you can eventually
provide fixes...assuming competance. 

>    Other than following Dan's step-by-step repair proceedure, SA's
>can start to pressure their suppliers to fix or commit to fix the
>bug.

Give me a break, here. How many times has that failed? 

>Thank you, I just had to get that of my chest.

You're welcome. Please acknowledge that I'd like to do the same. 
-- 
Dave Hayes - Network & Communications Engineering - JPL / NASA - Pasadena CA
dave at elxr.jpl.nasa.gov       dave at jato.jpl.nasa.gov           ames!elroy!dxh

    He who has self-conceit in his head - 
         Do not imagine that he will ever hear the truth.

More information about the Comp.unix.wizards mailing list