Path: utzoo!attcan!uunet!ns-mx!iowasp.physics.uiowa.edu!maverick.ksu.ksu.edu!zaphod.mps.ohio-state.edu!usc!snorkelwacker!bloom-beacon!eru!luth!sunic!mcsun!cernvax!achille
From: achille@cernvax.UUCP (achille petrilli)
Newsgroups: comp.sys.apollo
Subject: Re: security problems
Message-ID: <2032@cernvax.UUCP>
Date: 3 Jul 90 10:18:11 GMT
References: <9006281344.AA00445@cc2.cc.umr.edu>
Organization: CERN, European Laboratory for Particle Physics
Lines: 37

In article <9006281344.AA00445@cc2.cc.umr.edu> obrennan@CC3.CC.UMR.EDU (obrennan) writes:
>as well give them the keys". By the way, with announcing the info to the list
>you are ALSO giving away the keys to others houses. I still think that the
>information can be just as helpful by opening up a problem report with Apollo
>and announcing that problem report # so that other administrators can query
>Apollo about it without exposing the network. Also, what is the liability of
>a person for publicly exposing this information? What if millions of dollars
>are lost because of the posting of the information?
>
>
>Gerry O'Brennan
>Computing Services
>University of Missouri - Rolla

Here are two true (horror) stories. 

As everybody knows, SR9 and before were plenty
of security holes all over the place. I submitted a number of UCR (now APR).
For most of them, I got answers that only meant the problem wasn't understood.
For some other, the official answer was that 'Aegis was not meant to be a
secure system, protections are there to prevent non-malicious users from
deleting everything' ... No action as EVER been taken to close those holes,
as matter of fact they are still there in SR9.7.
The UCRs were sent during 1985/1986.

One of my friends told me around 1986/1987 that sendmail
had a security bug in it that could allow anyone to become root. I didn't ask
details about it, but it came back to my mind when the Internet Worm arrived.

The two stories above should tell you that the official channels or the
'security by ignorance' are not always the right way of handling this sort of
problems. 
In some cases, you MUST go out to the net and take the risk.

Achille Petrilli
Management Information Systems
CERN