Xref: utzoo comp.unix.sysv386:5463 comp.bugs.4bsd:1761
Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!swrinde!elroy.jpl.nasa.gov!lll-winken!gauss.llnl.gov!casey
From: casey@gauss.llnl.gov (Casey Leedom)
Newsgroups: comp.unix.sysv386,comp.bugs.4bsd
Subject: Re: SCO Responds to security bugs (was: SCO UNIX C2 Security)
Keywords: error checking
Message-ID: <92022@lll-winken.LLNL.GOV>
Date: 26 Feb 91 15:12:25 GMT
References: <14791@scorn.sco.COM> <1991Feb22.093441.8639@specialix.co.uk> <1991Feb23.020126.8064@robobar.co.uk>
Sender: usenet@lll-winken.LLNL.GOV
Followup-To: comp.unix.sysv386
Organization: Lawrence Livermore National Laboratory
Lines: 24
Nntp-Posting-Host: gauss.llnl.gov

| From: ronald@robobar.co.uk (Ronald S H Khoo)
| 
| | From: jpp@specialix.co.uk (John Pettitt) writes:
| | 
| | Before you ask - no I am not going to post the bug,
| 
| Why not?  You're not one of those ARRRGH SECURITY THRU OBSCURITY people
| are you, John? [[Ad homin attacks on John deleted.]]

  If SCO had learned about the bug and then not fixed it or told anyone
about it, then they could be accused of security through obscurity.
However, not broadcasting the exact method of making use of a security
hole when distributing a bug patch for that hole is both common practice
and good sense.  Keith Bostic does this for 4BSD security patches for
instance.  You don't want people who haven't had time to install the
security patches to get wiped out.  There may well even be grounds for
a negligence suit if a company did lay its customers open to assault this
way.

  I think you owe John an apology.  You should also probably cross your
fingers and hope you don't get sued by some SCO customer for your post if
it results in them suffering any losses.

Casey