Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!uunet!mcsun!ukc!slxsys!ibmpcug!ronald
From: ronald@ibmpcug.co.uk (Ronald Khoo)
Newsgroups: comp.unix.sysv386
Subject: Re: SCO Responds to security bugs (was: SCO UNIX C2 Security)
Message-ID: <1991Mar1.003629.24581@ibmpcug.co.uk>
Date: 1 Mar 91 00:36:29 GMT
References: <14791@scorn.sco.COM> <1991Feb22.093441.8639@specialix.co.uk> <1991Feb23.020126.8064@robobar.co.uk> <92022@lll-winken.LLNL.GOV>
Reply-To: ronald@robobar.CO.UK (Ronald Khoo)
Organization: At home.
Lines: 57

casey@gauss.llnl.gov (Casey Leedom) writes:

> [[Ad homin attacks on John deleted.]]

Honestly!  They weren't attacks of any kind.  Maybe a gentle ribbing, and
mostly just wanting to know exactly what John's position was.
Besides, the point about the support contract was a serious question
that I actually would have liked an answer to, though John didn't address it.
That's his privilege.

>   If SCO had learned about the bug and then not fixed it or told anyone
> about it, then they could be accused of security through obscurity.

I wasn't referring to SCO with reference to that, just asking if
John had changed his position, he says he hasn't and I accept that.

> However, not broadcasting the exact method of making use of a security
> hole when distributing a bug patch for that hole is both common practice
> and good sense.

This is arguable.  The simple fix to the original SCO security bug,
which can be applied even without getting any patches at all would
be simply to disable rexecd in inetd.conf, as was implied in my
original posting.  In general, I would expect crackers to be
far more knowledgeable than sysadmins, so spreading information
as fast as possible would result in better, not worse security,
since it means that sysadmins can secure their systems as soon
as possible.

A normal sysadmin might not have been able to figure out that rexecd
was the problem, but a cracker might well have figured it out.
Anyway, this bug has been pretty well known for ages.

> You don't want people who haven't had time to install the
> security patches to get wiped out.

Similarly, you want to give sysadmins the opportunity to secure their system
as soon as possible, before the crackers have had time to act.  Remember:
the bad guy normally gets his info fast, first, and before the average
sysadmin.

>   I think you owe John an apology.

If my original post came over like an insult, I apologise.  It was certainly
not meant that way at all.  I didn't think John was a STO fan, and I
thought that it was obvious that it was a humorous extraction of the michael
from those who are.  I certainly hope that most of us here would agree that
the STO position is not defensible.  John may well have his own reasons
for not making the original bug clear, I had thought that this had anyway
come up previously in the forum, perhaps I misremember.  In any case it's
clearly high time that the normal sysadmin got to know what the bug
was.  The cracker have known this hole for ages -- it's quite a well
known one.

Casey, no offence, but I really think you might consider lightening up a bit.

--