Path: utzoo!attcan!uunet!munnari.oz.au!metro!news From: jimr@maths.su.oz.au (Jim Richardson) Newsgroups: comp.sys.apollo Subject: Re: Patches and security Summary: Let's not say anything rash out loud! Message-ID: <1990Jul20.031221.14378@metro.ucc.su.OZ.AU> Date: 20 Jul 90 03:12:21 GMT References: <7871@jarthur.Claremont.EDU> Sender: jimr@maths.su.oz.au (Jim Richardson) Reply-To: jimr@maths.su.oz.au (Jim Richardson) Followup-To: CERT Organization: Dept of Pure Mathematics, University of Sydney Lines: 98 In article <7871@jarthur.Claremont.EDU>, jonathan@jarthur.Claremont.EDU (Jonathan Ball) writes: > I may be wrong, but since we're not discussing this hole here, we'll never > find out, will we? > >Well, perhaps Jim Richardson and anyone else who DOES know what the problem >is, and HAS applied the patch, could tell us that information without >revealing the hole to the rest of the world. As I said in my previous posting <1990Jul17.004711.19627@metro.ucc.su.OZ.AU> on this, >I hope everybody has m0121 installed by now. Maybe in a month or two it will >be safe to discuss it on the net ... or maybe not. Let's *please* give people some more time to install it before we start the discussion -- particularly since (as roger@GW1.AGS.BNL.GOV (Roger A. Katz) pointed out in <9007171350.AA29728@gw1.ags.bnl.gov>) you can't even install the patch with install++ because of yet another bug of some sort but have to copy the "module" (as Roger delicately and securely described it) into its place manually. In the meantime, there *is* a safe way of approaching security questions: use CERT. I haven't had time (or the telephone link, from this distance) to talk to them myself. If there are people who *do* want to discuss security issues in depth, please do it with CERT not on Usenet, at least for the time being. I append two old postings of Gene Spafford's describing CERT. I hope someone will take this up. -- Jim Richardson Department of Pure Mathematics, University of Sydney, NSW 2006, Australia Internet: jimr@maths.su.oz.au ACSNET: jimr@maths.su.oz FAX: +61 2 692 4534 -- From: spaf@cs.purdue.EDU (Gene Spafford) Newsgroups: comp.sources.d,news.sysadmin Subject: Re: Security, not obscurity. Message-ID: <10263@medusa.cs.purdue.edu> Date: 8 Apr 90 01:31:16 GMT References: <16900@well.sf.ca.us> <1990Mar29.055350.2922@Jhereg.Minnetech.MN.ORG> <1105@rwing.UUCP> <2364@sialis.mn.org> <291@van-bc.UUCP> Reply-To: spaf@cs.purdue.edu (Gene Spafford) Followup-To: comp.sources.d Organization: Department of Computer Science, Purdue University If you want to report a security bug or problem, your best bet is to report it to the CERT (Computer Emergency Response Team). Their e-mail address is cert@cert.sei.cmu.edu The CERT 24-hour hotline is (412) 268-7080. They will accept (and solicit) reports of any security flaw in software/hardware in systems currently on the Internet, and they will also accept reports of breakins and security incidents in progress. The folks at the CERT have ties in to most major vendors, they take reports very seriously, they keep the information confidential until fixes are available, and they don't dally when they get a report. They also have good contacts and working relationships with the various law enforcement agencies that would respond to problems you may be having. The CERT does no investigation on its own, and has no explicit jurisdiction or authority over security or law -- they are just a trusted crisis center that can direct your reports to the most appropriate parties. If you want to submit something to the security mailing list, you can mail it to "security@cpd.com" or "zardoz!security". Mailings to this list will reach people at major vendors, including DEC, AT&T and Sun, as well as the CERT and admins at many major sites. Note that the list may go to some unprotected sites, and anything appearing in the list is assumed to be known to the "bad guys" shortly after posting, so please use care in sending in news of gaping holes that cannot be fixed (send them to CERT, instead). If, for any reason, you do not wish to be associated with a report to the CERT or a security list, you can send reports to me. If I receive a report via email (or phone -- 317-494-7825) with a request to forward it anonymously, I will be happy to pass it along to the appropriate place with all identification stripped. I will also pass along other reports, too, if you ask me to. That assumes you feel you can trust me, of course. (1/4 :-) -- Gene Spafford NSF/Purdue/U of Florida Software Engineering Research Center, Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004 Internet: spaf@cs.purdue.edu uucp: ...!{decwrl,gatech,ucbvax}!purdue!spaf From: spaf@cs.purdue.EDU (Gene Spafford) Newsgroups: comp.sources.d Subject: Re: Security, not obscurity. Message-ID: <10283@medusa.cs.purdue.edu> Date: 10 Apr 90 01:00:08 GMT References: <16900@well.sf.ca.us> <1990Mar29.055350.2922@Jhereg.Minnetech.MN.ORG> <1105@rwing.UUCP> <2364@sialis.mn.org> <291@van-bc.UUCP> <10263@medusa.cs.purdue.edu> Reply-To: spaf@cs.purdue.edu (Gene Spafford) Organization: Department of Computer Science, Purdue University Ooops! A minor goof. The CERT 24-hotline number is (412) 268-7090 The 7080 is a daytime general information number for CERT. -- Gene Spafford