Xref: utzoo alt.security:2068 comp.unix.admin:1469 news.admin:13077 comp.unix.internals:2471
Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!pacific.mps.ohio-state.edu!linac!att!cbnewsh!wcs
From: wcs@cbnewsh.att.com (Bill Stewart 908-949-0705 erebus.att.com!wcs)
Newsgroups: alt.security,comp.unix.admin,news.admin,comp.unix.internals
Subject: Re: in.telnetd
Message-ID: <1991Apr3.031127.25462@cbnewsh.att.com>
Date: 3 Apr 91 03:11:27 GMT
References: <14471@life.ai.mit.edu> <1991Mar31.175455.23513@unhd.unh.edu>
Organization: Your typical phone company involved in your typical daydream
Lines: 20

In article <1991Mar31.175455.23513@unhd.unh.edu> rg@msel.unh.edu (Roger Gonzalez) writes:
]This brought to light one of my chief beefs about CERT:
]they just say that there is a hole, and where to
]get something to fix it.  I get queasy when CERT says "quick - go
]replace your in.telnetd" without any explaination of where the hole is. 

It's not too bad a compromise between the obscurity method so
successfully practiced by some three-letter-acronynm companies :-)
and just telling everyone the gory details which guarantees that
sites with inattentive sysadmins can be cracked by novices.
Sure, it's nice to know what's really going on, even if it's just
yet-another-telnetd-hole, but it's better to give people a chance to
fix it first.  It's a different case if you're talking about bugs
without known fixes, or bugs in equipment whose manufacturers
aren't responsive about releasing fixes.
-- 
				Pray for peace;		  Bill
# Bill Stewart 908-949-0705 erebus.att.com!wcs AT&T Bell Labs 4M-312 Holmdel NJ
"Don't Use Racist or Sexist Language" - Political Correctness Police Slogan
"Let's Beat Up That African-American" - Los Angeles Police Department Slogan