Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!samsung!brutus.cs.uiuc.edu!apple!well!jef
From: jef@well.sf.ca.us (Jef Poskanzer)
Newsgroups: comp.sources.d
Subject: "cops" and robbers
Message-ID: <16900@well.sf.ca.us>
Date: 27 Mar 90 19:33:35 GMT
Reply-To: Jef Poskanzer <jef@well.sf.ca.us>
Organization: Paratheo-Anametamystikhood Of Eris Esoteric, Ada Lovelace Cabal
Lines: 26

The recent posting of "cops", a Unix security assessment tool, points
out once again how much of a Red Queen's Race the security business
is.  Anything that tells the good guys what holes to plug also tells
the bad guys what holes to use.  The good guys have to keep up on all
the latest security assessment tools just to stay even.

Did you know that this latest Internet cracker was using Matt Bishop's
deszip?

When possible, it's great to post info about how to plug a hole without
revealing how to use the hole.  CERT does this when they can.  But it's
not always possible.  When instructions for fixing a hole reveal how to
exploit the hole, it is necessary to broadcast the instructions, and IT
IS ALSO NECESSARY THAT WE ALL APPLY THEM.

Did you know that a year and a half after the Internet Worm, some
manufacturers are still shipping systems with a DEBUG-enabled
sendmail?

Anyway, I don't want to get this tired old discussion going again, I
just wanted to point out that now that "cops" has been posted, there is
a new minimum level for Unix security.
---
Jef
                                   
  Jef Poskanzer  jef@well.sf.ca.us  {ucbvax, apple, hplabs}!well!jef