Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!ucsd!ucbvax!imf.unit.no!hanche From: hanche@imf.unit.no (Harald Hanche-Olsen) Newsgroups: comp.sys.apollo Subject: Re: Security hole: dde! (Relax, everybody - false alarm). Message-ID: Date: 9 May 90 00:04:31 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 23 It's a good thing the color of my face can not be seen on the network. Here I go, saying dde is a security risk, when all it was was the suid bit on the crp program that had been hit, either by a cosmic ray or by a cracker. I hope the former is the case, but fear the latter... Many thanks to Erica Dorenkamp at HP/apollo, who wrote to me, explaining that what happened could not possible happen, because all dde does is to run crp ... which together with the suid bit of course explains it all, and the rest is history. I guess I should apologise to all you systems administrators out there, who must have been trying do duplicate my result to no avail, no doubt wasting valuable time in the process. On the other hand, if only one of you had written to me, explaining you did not get this result, I might have figured it out sooner and spared the rest of you the trouble. Someone might or might not want to comment on the appropriateness of coming out with this kind of early information when you think you have found a gaping security hole... If so, please, send the flames to /dev/null. - Harald Hanche-Olsen Division of Mathematical Sciences The Norwegian Institute of Technology