Path: utzoo!mnetor!tmsoft!torsqnt!news-server.csri.toronto.edu!bonnie.concordia.ca!uunet!cs.utexas.edu!milano.sw.mcc.com!uudell!natinst!balkan!wrangler!ssbn!bill From: bill@ssbn.WLK.COM (Bill Kennedy) Newsgroups: comp.unix.sysv386 Subject: Re: SECURITY BUG IN INTERACTIVE UNIX SYSV386 Keywords: BAD BUG Message-ID: <2016@ssbn.WLK.COM> Date: 14 Feb 91 00:47:56 GMT References: <483@stephsf.stephsf.com> Reply-To: bill@ssbn.WLK.COM (Bill Kennedy) Organization: W.L. Kennedy Jr. and Associates, Pipe Creek, TX Lines: 62 In article <483@stephsf.stephsf.com> wengland@stephsf.stephsf.com (Bill England) writes: > > The program crashes with a memory falt on SCO ODT 1.0 on a system > with an fpu. That's good to know. I've not had a whole lot of complimentary things to say about ODT, this is important enough to remember. > I have serious reservations about this kind of post. While as an > system administrator system I want to know, at the same time it > is similar to giving handguns to a bunch of street thugs. No, I completely disagree. The street thugs already had the handguns and they were already pointed at our heads, this just gave us fair warning so that we could defend ourselves. I read the article with mixed emotions because I took a rather extreme defense. I have an NCR Tower who has custody of all connections to the outside world and all user access other than a couple of people that I can go strangle if they betray me. That is *very* extreme, but I have been successfully attacked and vandalized so my paranoia has some basis. I think the post was completely correct and proper because he made it clear that he had notified ISC and they had either stonewalled or ignored him. I would prefer to believe that ISC didn't know about the hole but my personal opinion is that they knew and shipped anyway. > The only way to protect ourselves, for now, is that those who have > read the posting should inform their system administrators that the > bug exists and the system admins can ask (Tell) everyone to not do > it. I would take it a step farther. I would delete or inactivate any user account that you do not know and trust. That can be a touchy situation sometimes but necessary if you place any value on the security of your system and its contents. I think that you must presume that someone will get mischievious and take a joy ride. Even experts can bruise the foliage in a high speed chase. >-- > +- Bill England, wengland@stephsf.COM -----------------------------------+ > | * * H -> He +24Mev | > | * * * ... Oooo, we're having so much fun making itty bitty suns * | > |__ * * ___________________________________________________________________| I'm rather surprised at how calm and quiet everyone is about this. For the purpose of making my point I'll ASSume that Interactive knew about this and didn't tell anyone. I have no such evidence but it illustrates my point. Your (and my) UNIX vendor shipped an operating system that they _knew_ had a huge gaping security hole in it. They took your money and exposed you to Lord knows what. Now, after (if we're to believe the original article and I do) several days, there's no confirmation or denial from Interactive and no howls of outrage from those standing in the wind with their bathrobes at half mast. I guess that this confirms what I believe was their opinion in the first place, who cares? Well damn it! I care! Maybe I care too much and have a gatekeeper to keep joy riders out, but I think that each and every one of you should care and should care more than I do. On the other hand, maybe we are just hobby players, maybe these systems are toys, don't produce any meaningful work, cost $$ within discretionary budgets, or we're just amateurs who don't understand the consequences of a rogue with root permissions. -- Bill Kennedy usenet {att,cs.utexas.edu,pyramid!daver}!ssbn.wlk.com!bill internet bill@ssbn.WLK.COM or attmail!ssbn!bill