Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!tut.cis.ohio-state.edu!ucbvax!PAN.SSEC.HONEYWELL.COM!thompson
From: thompson@PAN.SSEC.HONEYWELL.COM (John Thompson)
Newsgroups: comp.sys.apollo
Subject: re: Patches and security
Message-ID: <9007201942.AA05314@pan.ssec.honeywell.com>
Date: 20 Jul 90 19:42:07 GMT
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The Internet
Lines: 30



> I sent jonathan a description of the problem, and why patch 121 doesn't
> fix anything.
I have also verified that the patch is trivial to work around.  I also
verified that 'install' does not install the patch "module."

> This is a very serious problem.  It defies rational thought to believe that
> it exists in the first place, and that this type of "patch" supposedly fixes
> it in the second place.
It is even worse in that it _TELLS_ you that it was unable to break security,
but does so anyway!!!  The problem is that, now that a copy of the dangerous
module has been available, the only way I can think of to repair the damage
is to change the internals for that module.  That would involve several
driver-level changes, and would ruin many other software packages.

> Security by obscurity is DANGEROUS!!!!
True!  Notice how obscure we are, anyway.  I have opened up a call with Apollo
on the failure of this patch.  I am going to try and get a new APR for it,
along with some sort of answer from them as to what they intend to do about it.
Until then, I will not mention where the breaach is, or how to get around the
"patched" hole, although most everyone seems to know anyway.

John Thompson (jt)
Honeywell, SSEC
Plymouth, MN  55441
thompson@pan.ssec.honeywell.com

As ever, my opinions do not necessarily agree with Honeywell's or reality's.
(Honeywell's do not necessarily agree with mine or reality's, either)