Path: utzoo!mnetor!tmsoft!torsqnt!news-server.csri.toronto.edu!cs.utexas.edu!uunet!mcsun!ukc!dcl-cs!aber-cs!athene!pcg From: pcg@cs.aber.ac.uk (Piercarlo Grandi) Newsgroups: comp.unix.sysv386 Subject: Re: SECURITY BUG IN INTERACTIVE UNIX SYSV386 Message-ID: Date: 18 Feb 91 21:46:30 GMT References: <1991Feb12.085747.8468@specialix.co.uk> <27B93F44.5606@tct.uucp> <3214@sixhub.UUCP> Sender: pcg@aber-cs.UUCP Organization: Coleg Prifysgol Cymru Lines: 62 Nntp-Posting-Host: odin In-reply-to: davidsen@sixhub.UUCP's message of 18 Feb 91 02:04:24 GMT On 18 Feb 91 02:04:24 GMT, davidsen@sixhub.UUCP (Wm E. Davidsen Jr) said: davidsen> In article <27B93F44.5606@tct.uucp> chip@tct.uucp (Chip davidsen> Salzenberg) writes: [ .. on the appalling trapdoor in SysV 3.2 that turns the Unix kernel itself into a trojan horse ... ] davidsen> I am amazed that the companies didn't fix it instantly and davidsen> send it by registered express mail to every owner. And admit that the problem exists? The first thing their attorney will have told them must have been "don't admit anything". They tried to hush things initially. davidsen> In today's litigatious climate, I can see a jury finding them davidsen> negligent. Negligent of what? Technically and practically, all these vendors are just selling you defect free floppies. The usefulness of their contents are explicitly disclaimed in every possible way. Only an irresponsible person does not read the warranties, especially when they are so clear and explicit. You may think that uniform warranty legislation is the answer, but then this would kill off free sw of any type. I think that in legal terms, and in practical terms as well, the perpetrators of this debacle have been perfectly honest -- they *do* sell you defect free floppies, and if they are not defect free they will eventually (slowly, apparently :-/) replace them with defect free ones for a period of up to 90 days. They promise you something, they keep their promise. Don't take them to task for failing to deliver soemthing they have never promised, like Unix, or a secure Unix, or a Unix in which there are no trapdoor. For all we know there is the in System V shell a secret "becomeroot" command that allows those "in the know" to become root exploiting the u-area trapdoor. How do you know there is no such command or option? Do any of the System V suppliers promise you that there is no such thing? No, actually they disclaim any representation to this effect. If *you* think that you are purchasing a Unix product, that's *your* problem. You are in fact purchasing System V brand defect free floppies, for over $1,000. Up to you to decide whether a set of defect free floppies (and a chance, for which you take all responsibility, at running whatever is recorded on them) is worth $1,000. You are never misled about what your money is really buying. Naturally we both know what's the _real_ story, but what is written above seems to me logically flawless. Much more dangerous misunderstandings can happen: I remember a jerk that had complained that the Internet Worm had caused a downtime of two days on his Unix based network and his organization could not afford a two day downtime for the whole network. I would have promoted the jerk to assistant janitor on the spot, because somebody that cannot afford a two day downtime cannot run software whose warranty states that in the event of problems *you* are liable to pay damages to the software's *supplier*. -- Piercarlo Grandi | ARPA: pcg%uk.ac.aber.cs@nsfnet-relay.ac.uk Dept of CS, UCW Aberystwyth | UUCP: ...!mcsun!ukc!aber-cs!pcg Penglais, Aberystwyth SY23 3BZ, UK | INET: pcg@cs.aber.ac.uk