BSD tty security, part 4: What You Can Look Forward To

William Walker wrwalke at rsi.UUCP
Thu May 2 03:46:30 AEST 1991 

In article <1991Apr30.224235.2459 at jato.jpl.nasa.gov>, dave at jato.jpl.nasa.gov (Dave Hayes) writes:
> smb at ulysses.att.com (Steven Bellovin) writes:
> 
> >What Dan has done -- offered
> >details to anyone who can prove his or her legitimacy -- is certainly
> >defensible as an answer.  Your and I may not (or may) agree with it,
> >but it's as reasonable a choice as either of the first two.
> 
> I see what you are saying, but I have to disagree. Why has Dan even POSTED
> that such holes exist, if he is not willing to disclose the details to
> us system admins that are going to be of necessity interested in the problem?
     ^^^^^^^^^^^^^

ok, so you *are* a system admin with a legit need to know.  so what's the big
deal with sending him a set of references??


do you want every bored CS major between here and australia finding out 
about those holes a week or so before you get your patch tapes from the 
vendor?

> 
> Personally, I would like to know exactly what his criterion is. I believe I
> have extremely valid reasons for knowing these details...my paycheck happens
> to refelct these reasons. Naturally I responded to his #6 item...believing
> full well that he could validate my legitimacy.
> 

so what do you do if you find a nifty little bug??  you tell the vendor 
and CERT, CERT makes it known to it's brain/talent trust, contacts the
vendor who says "BFD".  what about the guy *without* source??  how is
he ever going to get the hole patched?  unless the customers pressure
the vendor, NO changes will ever be made unless it is the old "fixed
in the next release" line, send us a check....  this "approval" arrangement
also sounds kinda hokey to me, but i can't think of a better medium
between leaving gaping holes under the carpet and posting potentially
dangerous code on a public forum accessible to thousands of bored hacker 
wannabe's.

just another $.02
bill.
-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Bill Walker  -  Overlord of Gateway Traffic, Keeper of all that is PD,
		Maintainer of the Almighty Source Tree, Worshipper of K+R, 
		Altar-boy at the Temple of "Bob", Resource in Residence,
		Patcher of Perl, Configurer of the Holy Sendmail...
wrwalke at rsi.prc.com  --  PRC, a wholly owned subsidiary of Black+Decker Inc.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

More information about the Comp.unix.wizards mailing list