Path: utzoo!attcan!uunet!decwrl!ucbvax!CAEN.ENGIN.UMICH.EDU!pha
From: pha@CAEN.ENGIN.UMICH.EDU (235 Chry)
Newsgroups: comp.sys.apollo
Subject: Re: Patches and security
Message-ID: <4bb450475.0017b5e@caen.engin.umich.edu>
Date: 20 Jul 90 14:28:45 GMT
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The Internet
Lines: 40


	From: jonathan%jarthur%usc.uucp@ucsd.edu
	Organization: Harvey Mudd College, Claremont, CA 91711
	Message-Id: <7871@jarthur.Claremont.EDU>
	Subject: Re: Patches and security
	
	In article <1990Jul19.193641.23420@terminator.cc.umich.edu> rees@citi.umich.edu (Jim Rees) writes:
	   In article <1469@m1.cs.man.ac.uk>, dente@els.ee.man.ac.uk (Colin Dente) writes:
	   > PLEASE keep the nature of security holes quiet.
	   
	   I disagree, and patch 121 is a perfect example of why we need to discuss
	   security holes.  Unless I miss my guess, this patch does not fix the hole at
	   all, it just removes a copy of a program that exploits that hole.  You go
	   away thinking your machine is now somehow more secure, and anyone who really
	   wants to can still get in.
	   
	   I may be wrong, but since we're not discussing this hole here, we'll never
	   find out, will we?
	 
	Well, perhaps Jim Richardson and anyone else who DOES know what the problem
	is, and HAS applied the patch, could tell us that information without
	revealing the hole to the rest of the world.
	 
	Jon
	-- 
	jonathan@jarthur.claremont.edu (134.173.4.42)
	

I sent jonathan a description of the problem, and why patch 121 doesn't
fix anything.

This is a very serious problem.  It defies rational thought to believe that
it exists in the first place, and that this type of "patch" supposedly fixes
it in the second place.

Security by obscurity is DANGEROUS!!!!

Paul Anderson
CAEN Systems Programmer
University of Michigan