BSD tty security, part 4: What You Can Look Forward To

Fri May 3 06:41:32 AEST 1991

brnstnd at kramden.acf.nyu.edu (Dan Bernstein) writes:

>Somehow certain people have formed the mistaken impression that I have
>been treating large sites differently from small sites. As I have tried
>to explain, I do *not* see a fine line between the administrator of one
>machine and the manager of a network of ten thousand machines. I have
>not made and will not make a policy of sending break code to anyone who
>asks---exactly *because* wide distribution of the code will eventually
>reach the ``bad guys'', will affect practically every UNIX machine on
>the Internet, and won't be traceable. So (as Dave Hayes can assure you)
>I haven't been sending code to people merely because they manage a
>``large enough'' network.

Yes, I can vouch for that. Dan has persisted in an arrogant and counter-survival
attitude which affects the lives of nearly every damn sys admin responsible 
for computer security.

Consider...good computer crackers can find out exactly how to exploit
these holes from the information Dan has "graciously" (read 'teasingly')
given us all. Why NOT distribute the code involved? The damage is already
done. 

In fact, Dan has made a whole LOT of people 'wrong' in a sense of 
giving out a potential hole, and then proposing some long and tired
hack to a system to patch it. Does this work? Has anyone tried it?
Is it comphrehensive?

Personally, I don't trust anyone that doesn't trust me. (COmmon sense)
There's no way I would trust the integrity and completeness of Dan's
patch...even though he may be competant enough to have provided the 
correct information. So that 'patch' he posted is basically worthless 
to me. (Yes, I could waste a good week figuring these things out for 
myself...this is neither desireable or the real point.)

How many other sys admins out there feel like I do? I'd really like
to know.

>This may not be the optimal policy for handling a security hole, but
>it's the best policy I've come up with, and I'm not going to listen to
>complaints from people who can neither formulate a consistent
>alternative policy nor think through its effects. The intelligent man
>does not criticize what he cannot improve.

Well, to "improve" something has different meaning to different people.
I can not only criticize, I can supply you with an alternative. Provide
enough details to enable someone to write a comprehensive program that
can check for the existence of the holes that you specify on any system...
then publish it. It's that simple. 

>---Dan

-- 
Dave Hayes - Network & Communications Engineering - JPL / NASA - Pasadena CA
dave at elxr.jpl.nasa.gov       dave at jato.jpl.nasa.gov           ames!elroy!dxh

   There is no greater calamity for a nation or individual
                 than not finding contentment in one's sufficiency.