Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!caen!sol.ctr.columbia.edu!emory!rsiatl!jgd From: jgd@Dixie.Com (John G. DeArmond) Newsgroups: comp.unix.sysv386 Subject: Re: SECURITY BUG IN INTERACTIVE UNIX SYSV386 Keywords: BAD BUG Message-ID: <6913@rsiatl.Dixie.Com> Date: 13 Feb 91 22:17:11 GMT References: <483@stephsf.stephsf.com> Organization: Rapid Deployment Systems (making go-fast things and things that-go fast) Lines: 59 wengland@stephsf.stephsf.com (Bill England) writes: > I have serious reservations about this kind of post. While as an > system administrator system I want to know, at the same time it > is similar to giving handguns to a bunch of street thugs. > The only way to protect ourselves, for now, is that those who have > read the posting should inform their system administrators that the > bug exists and the system admins can ask (Tell) everyone to not do > it. Actually, I was thinking quite the opposite. This little experience is the shining example of why security-by-obscurity does NOT work and why ALL security holes should be reported widely. Look at what happened: Our friend at dobag tried for over 6 months to quietly work with ISC and get the bug fixed. Aside from his getting the usual it's-not-a-bug- its-a-feature runaround, consider what would have happened if ISC HAD addressed the problem when he originally reported it. They'd have most likely packaged the fix - if they could have managed to get it right (shades of the inode bug) - in their next "upgrade" for which a hefty fee would be charged and which those who don't pay the support extortion would not know about. This fix might have come out in 6 months or it might have taken a year or who knows. But suppose they'd fixed it correctly and responded with free fixes to every owner. The owners of other brands of V3 would have remained just as exposed. Even if the cumbersome CERT mechanism had lumbered into action, it would have still been months before fixes got implemented with other vendors and still longer before they hit the streets. And with the fanatical obsession with secrecy and obscurity among the CERT-types, none of us would have known exactly what "security chasm" had been filled. As this event traspired, in less than 2 days, all the common Unixes had been tested, the test results posted here, workarounds developed (so you have to buy a 387 - big deal if you system really needs the security) and last but not least, we now most likely have people poking around looking for related problems. (Everybody so hacking raise your hands now.. Hmm, yep, thought so :-) As the system owner and administrator, I got to exactly evaluate the risk and decide what to do about it. Since I chose long ago not to rely on permissions to protect sensitive data files, all such information is stored encrypted. I can therefore decide not to spin in place and lose sleep over the problem. I say "THANK YOU" to all the people involved. The system of free flowing information work again. John -- John De Armond, WD4OQC | "Purveyors of speed to the Trade" (tm) Rapid Deployment System, Inc. | Home of the Nidgets (tm) Marietta, Ga | {emory,uunet}!rsiatl!jgd |"Politically InCorrect.. And damn proud of it