Path: utzoo!attcan!uunet!mcsun!ukc!mucs!craven!root
From: root@craven.ee.man.ac.uk (Operator)
Newsgroups: comp.sys.apollo
Subject: Re: security problems
Message-ID: <1407@m1.cs.man.ac.uk>
Date: 4 Jul 90 12:05:51 GMT
References: <1990Jul2.145952.13977@caen.engin.umich.edu>
Sender: news@cs.man.ac.uk
Reply-To: dente@els.ee.man.ac.uk
Organization: Manchester Computer Centre, University of Manchester UK
Lines: 24

In article <1990Jul2.145952.13977@caen.engin.umich.edu> jal@acc.flint.umich.edu (John Lauro) writes:
>With all the talk about security, and at least two problems with using
>Apollo's hot-line (No/Poor/Expensive to some, and not secure), perhaps
>a moderated mailing list would work.
>
I agree that the hot-line is not secure, but how on earth could you make a
mailing list secure?  What method could you use to ensure that someone is a
bona-fide sysadmin? - And even if they are, can you really trust them?  Gone
are the days of the mainframe sysadmin as an elite breed - we're two a penny
now (God! - I can almost feel myself slowly depreciating ;-()

As far as I can tell - the only real solution is for HP/Apollo to IMMEDIATELY
fix any security holes (no - fixed in release 15.23 1/2 WON'T do!!) and simply
inform people that the patch exists and should be installed.  They should not
release any details of the nature of the problem as this simply makes things
easier for hackers.  I believe that DEC already operate in a similar fashion to
this - though I could well be wrong.

Frankly, it seems to me that Apollo's attitude towards security sucks, which
is a great shame 'cos I generally love the machines.

Anyway, enough rambling - here endeth my $0.02 worth.

Colin