Path: utzoo!utgpu!news-server.csri.toronto.edu!clyde.concordia.ca!uunet!samsung!usc!ucsd!ucbvax!CAEN.ENGIN.UMICH.EDU!pha
From: pha@CAEN.ENGIN.UMICH.EDU (Paul H. Anderson)
Newsgroups: comp.sys.apollo
Subject: re: Patches and security
Message-ID: <4bc356ba6.0017b5e@caen.engin.umich.edu>
Date: 23 Jul 90 14:10:54 GMT
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The Internet
Lines: 42


	 
	 
	> I sent jonathan a description of the problem, and why patch 121 doesn't
	> fix anything.
	I have also verified that the patch is trivial to work around.  I also
	verified that 'install' does not install the patch "module."
	 
	> This is a very serious problem.  It defies rational thought to believe that
	> it exists in the first place, and that this type of "patch" supposedly fixes
	> it in the second place.
	It is even worse in that it _TELLS_ you that it was unable to break security,
	but does so anyway!!!  The problem is that, now that a copy of the dangerous
	module has been available, the only way I can think of to repair the damage
	is to change the internals for that module.  That would involve several
	driver-level changes, and would ruin many other software packages.
	 
	> Security by obscurity is DANGEROUS!!!!
	True!  Notice how obscure we are, anyway.  I have opened up a call with Apollo
	on the failure of this patch.  I am going to try and get a new APR for it,
	along with some sort of answer from them as to what they intend to do about it.
	Until then, I will not mention where the breaach is, or how to get around the
	"patched" hole, although most everyone seems to know anyway.
	 
	John Thompson (jt)
	Honeywell, SSEC
	Plymouth, MN  55441
	thompson@pan.ssec.honeywell.com
	 
	As ever, my opinions do not necessarily agree with Honeywell's or reality's.
	(Honeywell's do not necessarily agree with mine or reality's, either)

I've also got a call open on it - it was immediately raised to P1 priority
at my request, and I am expecting an answer from customer services tomorrow
or Wednesday as to if/when/how the hole will be fixed.

I will let this group know the results of that call.  I have asked for a patch
for SR10.1, SR10.2, as well as SR10.3.  Having a patch for just 10.3 doesn't help,
as we have about an even mix of 10.1 and 10.2 machines running around.

Paul Anderson