Path: utzoo!mnetor!tmsoft!torsqnt!news-server.csri.toronto.edu!bonnie.concordia.ca!thunder.mcrcim.mcgill.edu!snorkelwacker.mit.edu!usc!samsung!sdd.hp.com!caen!uflorida!novavax!ankh!megasys!pax From: pax@megasys.com (Garry M. Paxinos) Newsgroups: comp.unix.sysv386 Subject: Re: SECURITY BUG IN INTERACTIVE UNIX SYSV386 Message-ID: Date: 18 Feb 91 09:54:42 GMT References: <1991Feb14.004122.1564@ism.isc.com> <1991Feb18.004416.12447@ddsw1.MCS.COM> Sender: pax@megasys.COM Organization: Megasystems, Inc. Delray Beach FL Lines: 67 In-reply-to: karl@ddsw1.MCS.COM's message of 18 Feb 91 00:44:16 GMT In article <1991Feb18.004416.12447@ddsw1.MCS.COM> karl@ddsw1.MCS.COM (Karl Denninger) writes: Flame gun on nuclear holocost setting: Look, folks. You published 2.2 while KNOWING FULL WELL that the problem was there. The release notes even hint that you knew about it in 2.0.2 or before -- certainly before 2.2 came out. And obviously they knew about it when the 2.2.1 update came out... Now you've really done it. I hope your company gets sued for gross negligence and you go bankrupt. I am absolutely positive it (legal action) is being looked into... It is one thing to publish a product with a problem like this. It is another entirely to do so with full knowledge of the hole, the damage it will cause when exploited, and simply not care. That is, generally, the definition of gross negligence. It is akin to selling a person a car with known defective brakes. Agreed. There is lots of evidence of this "I don't care" attitude -- the fact that the bug was reported to you more than 6 months ago and ignored, and the published description of a "fix" in the release notes for 2.2. Of course what's not in the 2.2 release notes is that if you apply the fix, and don't have a math chip, the system will then not be able to do any floating point math! Not to beat a dead horse, but the fact that 2.2.1 did not address the 'feature' proves the above sentiment beyond all shadow of a doubt. [...] >The anticipated availability date of the bug-fix is February 22nd. > >Marty C. Stewart >Support Team Leader >Interactive Systems Corp. You and your entire crew deserve to be fired. ISC has deliberately done this. The "support team" appears to have deliberately ignored the report of this bug for at least 6 months. It is a >fact< that the problem was known when 2.2 was released. And in 2.2.1, there simply is NO excuse. Zero, None, NADA! Get my drift.. Let's look at this, 2.2 came out around May 90 (right?), 2.2.1 came out in early Dec 90, it's now mid Feb 91 ... hmmm.. almost a year... and still no fix... When did ISC get AT&T's 3.2.1 which apparently included the fix? Perhaps Kodak will take this seriously enough to enforce some real discipline from the top level down -- and replace all of you. I certainly hope so... (flame gun off) Ahh, in this case, leave the flame thrower on... they deserve it! pax -- E-Mail:pax@megasys.com pax@ankh.ftl.fl.us gmp@pinet.aip.org USNail:Megasystems, Inc. 2055 South Congress Ave, Delray Beach, FL 33445 UUCP :{gatech!uflorida!novavax!ankh, mthvax, shark, attmail}!megasys!pax Voice :407-243-2405 Data: 407-243-2407 Fax: 407-243-2408 Telex: 156281499 "This is America, Right?!?!?" member of 2 Live Crew