Should Dan post full details of his tty bugs?

[bill]

: In article <26821 at adm.brl.mil>, konczal at sunmgr.ncsl.nist.gov (Joe Konczal) writes:
: > If Dan posted full details, those who don't have the source to their
: > operating systems would still be unable to close the loopholes, but

This is simply not true. There are any number of potential
solutions to this kind of problem, ranging from kernel binary
hacks, to redistributing access to various machines, to buying the
source code, to network and kernel monitoring, to harassing one's
vendor, to guards in the terminal room, to kicking off the system
anyone who might abuse it, etc.

The thing some seem to forget is this: ignorance prevents an
informed response. As it stands right now, any person with even a
little programming skill and some time on their hands could
exploit the hints provided in this newsgroup; however, the
typical system administrator, not even knowing the extent of the
problem, is going to say, rightly, that he's got enough *known*
problems to deal with, without wasting time on what may be
totally irrelevant to his system. (Someone is likely to say that
the extent of the problem has been explained. Nonsense. For
something as ramified as this, the explanations posted here have
been woefully inadequate.)

The effect is that most system administrators will do nothing
about things, because they *can't*, and most sites that have
irresponsible users who become aware of the possibility of
exploiting this hole are going to get the shaft. If provided with
the precise details of the problem, those same irresponsible users
will still do their thing, but the system administrators will be
in a position where they can at least attempt to prevent any
significant abuse from happening, or can detect a use of this
hole and clean up afterwards.