Path: utzoo!censor!geac!torsqnt!news-server.csri.toronto.edu!cs.utexas.edu!usc!wuarchive!zaphod.mps.ohio-state.edu!pacific.mps.ohio-state.edu!linac!att!news.cs.indiana.edu!msi.umn.edu!cs.umn.edu!quest!digibd!rhealey From: rhealey@digibd.com (Rob Healey) Newsgroups: comp.unix.sysv386 Subject: Re: SECURITY BUG IN INTERACTIVE UNIX SYSV386 Keywords: BAD BUG Message-ID: <1991Feb22.180214.12836@digibd.com> Date: 22 Feb 91 18:02:14 GMT References: <27B93F44.5606@tct.uucp> <3214@sixhub.UUCP> <1991Feb19.042353.27075@chinet.chi.il.us> Organization: DigiBoard Incorporated, St. Louis Park, MN Lines: 45 In article <1991Feb19.042353.27075@chinet.chi.il.us> pdg@chinet.chi.il.us (Paul Guthrie) writes: >I'm sick of people calling this a "gaping >kind-you-can-drive-a-truck-through hole" in UNIX security. If it >was so gaping, how come it has never come up here before, like so >many other obscure problems? ISC was fixing this, and if that >idiot had kept his mouth shut, it would have been fixed in time, >without many of us rushing out to buy coprocessors. [ More "blaming the victim" deleted. ] AT&T fixed the bug quite a while ago. SCO and Dell did too. The reason most of us are shocked is because of the fundemental nature of this bug/"feature" and the implecations that it makes toward responsibility of vendors. The bug IS a "gaping kind-you-can-drive-an-ocean-liner-through-hole" in UNIX security. Do you SERIOUSLY think that ISC would have fixed this bug WITHOUT all this negative publicity? I SINCERLY doubt it due to the fact they DOCUMENTED it and let it slide for well over a year after AT&T found it. This is a VERY sad statement for the state of software vendors today. What's even sadder is that "shrink wrap" license that protects EVERY software vendor from being responsible for ANYTHING. REALLY read that disclaimer sometime, all fault is shoved on the USER and NOT the provider. EVERY piece of software you have has this on it, NO vendor is responsible for the software they produce. THAT is the saddest part of all of this. The software industry has 0/ziltch/nada/none legal responsibility to the user community. The only "bone" thrown to a user is that some companys MIGHT choose to be morally responsible... By the agreement on the ISC boxes, ISC CAN NOT BE HELD RESPONSIBLE for ANY damages resulting from use, or misuse, of their product. EVERY piece of software you "own" is the same. I would be VERY surprised if anything legal came out of this. As one person already said, the ONLY thing software companys are legally bound to do is provide you with defect free media; NOTHING else. Think about it... -Rob Speaking for self, not company.