Path: utzoo!attcan!uunet!decwrl!ucbvax!UMIX.CC.UMICH.EDU!krowitz%richter
From: krowitz%richter@UMIX.CC.UMICH.EDU (David Krowitz)
Newsgroups: comp.sys.apollo
Subject: Re:  security problems
Message-ID: <9007021312.AA05460@richter.mit.edu>
Date: 2 Jul 90 13:12:03 GMT
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The Internet
Lines: 17

You y
You have a nice idea that does not work in pratice. The Hotline number
is *NOT* restricted to system administrators. It is accessable to *ANY*
user you knows how to dial 1-800-2-apollo and who knows your network's
site-ID number. HP/Apollo has no way of telling whether or not the caller
is 'trustworthy'. All that a user has to do is to dial the number, give
the site-ID (and if they're sneaky, give their sys admin's name but their
own phone number), and ask the necessary question "what's this about a new
security bug?". The hotline is *not* secure.


 -- David Krowitz

krowitz@richter.mit.edu   (18.83.0.109)
krowitz%richter.mit.edu@eddie.mit.edu
krowitz%richter.mit.edu@mitvma.bitnet
(in order of decreasing preference)