Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!swrinde!elroy.jpl.nasa.gov!ncar!midway!gargoyle!chinet!pdg
From: pdg@chinet.chi.il.us (Paul Guthrie)
Newsgroups: comp.unix.sysv386
Subject: Re: SECURITY BUG IN INTERACTIVE UNIX SYSV386
Keywords: BAD BUG
Message-ID: <1991Feb19.042353.27075@chinet.chi.il.us>
Date: 19 Feb 91 04:23:53 GMT
References: <1991Feb12.085747.8468@specialix.co.uk> <27B93F44.5606@tct.uucp> <3214@sixhub.UUCP>
Organization: The League of Crafty Hackers
Lines: 21

I'm sick of people calling this a "gaping
kind-you-can-drive-a-truck-through hole" in UNIX security.  If it
was so gaping, how come it has never come up here before, like so
many other obscure problems?  ISC was fixing this, and if that
idiot had kept his mouth shut, it would have been fixed in time,
without many of us rushing out to buy coprocessors.  He even
admitted it didn't affect his site.  This was an act of pure
stupidity.  If indeed he had been after ISC to get a fix, why wasn't
a note like: "There is a terrible bug in ISC UNIX security that
allows root access instantaneously.  I have mailed the problem to
ISC (or reported the bug) to ISC and will post the problem in 3
months.  The clock is ticking ISC...." posted.  The posting of
source code to crack a system and binaries even was nothing more
than glory-hounding, sort of like saying "See what I know and you
don't".  This person is immature, irresponsible and has caused a lot
of people a lot of trouble.  If indeed his cause was to get the bug
fixed to stop "security problems" he would not have caused a
multitude more in the short term.  
-- 
Paul Guthrie
chinet!nsacray!paul or pdg@balr.com or attmail!balr!pdg