Path: utzoo!mnetor!tmsoft!torsqnt!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!caen!uflorida!novavax!ankh!megasys!pax From: pax@megasys.com (Garry M. Paxinos) Newsgroups: comp.unix.sysv386 Subject: Re: SECURITY BUG IN INTERACTIVE UNIX SYSV386 Message-ID: Date: 15 Feb 91 12:25:34 GMT References: <1991Feb12.085747.8468@specialix.co.uk> <27B93F44.5606@tct.uucp> <6027@unix386.Convergent.COM> Sender: pax@megasys.COM Organization: Megasystems, Inc. Delray Beach FL Lines: 59 In-reply-to: mburg@unix386.Convergent.COM's message of 14 Feb 91 19:41:21 GMT In article <6027@unix386.Convergent.COM> mburg@unix386.Convergent.COM (Mike Burg) writes: A two sided coin problem... Quite true.. From a view of a person who has work for various Unix system houses - you can't really blame ISC, ESIX, or any other vendors that current has the bug in it's release. I think the blame should be placed on AT&T. They are the ones who are (were) shipping the base source with the bug. Most AT&T UNIX vendors typically only concentrate on adding more options to the system (i.e. X-Windows, more controller card support, networking). They usually don't looking into rats mazes like memory managment. Now, look it from the vendors eye's - You'd be expecting for AT&T to ship a somewhat "secure" (if you can call it that) product, without serious holes like this one. Logical conculsion - concentrate on value and price. But after this, I guess not. There's only so much a systems house can concentrate on, and some of them are poorly understaffed. I agree completely on the above, with systems as complex as a full Unix operating system it is quite likely that some things will slip thru. HOWEVER, they clearly were aware of the 'gapping hole' when they released 2.2 as it is openly stated in the release notes (and you don't have to be a kernel hacker to understand it... I guess it just shows how many people really read the release notes :-) This, coupled with the fact the 2.2.1 update did nothing to close the 'hole' would seem to indicate either extreme incompentance or total disregard for customer security and any intent on fixing real problems. Unfortunately, as they seem to be able to come up with a fix by next Friday (the 22nd), the later appears to be the case... If this weren't so insidious a breach of security I would be a little more tolerant. But openly stating it in a Release Note almost a year ago and then do absolutely nothing to fix it, even when they have come out with an update since then. Is this a classic definition of negligence or what? ON THE OTHER HAND, since you are buying a product from the vendors, you'd *EXPECT THEM* to sell you a stable product. Kinda of like selling you a new car, then having it going out of control because your kid decided to change the radio station. I agree 100%. Face it folks, all versions of Unix for the PC have problems of some kind. (Just a matter of what size the explosion will be when it goes off in your face) It ain't no Ginsu knive offer - ("It dices, it slices, it's a mutlitasking OS and a teeth cleaner! And if you order now you'll receive....") Again, absolutely no argument. But, alas, it really dosen't apply to this specific problem. pax. -- E-Mail:pax@megasys.com pax@ankh.ftl.fl.us gmp@pinet.aip.org USNail:Megasystems, Inc. 2055 South Congress Ave, Delray Beach, FL 33445 UUCP :{gatech!uflorida!novavax!ankh, mthvax, shark, attmail}!megasys!pax Voice :407-243-2405 Data: 407-243-2407 Fax: 407-243-2408 Telex: 156281499 "This is America, Right?!?!?" member of 2 Live Crew