Xref: utzoo comp.unix.wizards:25245 alt.security:2361
Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!samsung!uunet!snorkelwacker.mit.edu!hsdndev!cmcl2!kramden.acf.nyu.edu!brnstnd
From: brnstnd@kramden.acf.nyu.edu (Dan Bernstein)
Newsgroups: comp.unix.wizards,alt.security
Subject: Re: BSD tty security, part 4: What You Can Look Forward To
Message-ID: <14839:Apr2923:33:4391@kramden.acf.nyu.edu>
Date: 29 Apr 91 23:33:43 GMT
References: <3600:Apr2614:04:4391@kramden.acf.nyu.edu> <13218@goofy.Apple.COM>
Organization: IR
Lines: 39

In article <13218@goofy.Apple.COM> erc@Apple.COM (Ed Carp) writes:
> In article <3600:Apr2614:04:4391@kramden.acf.nyu.edu> brnstnd@kramden.acf.nyu.edu (Dan Bernstein) writes:
> >6. I will give further details on the security holes to anyone who
> >convinces me that he has a legitimate interest.
> Um, what IS this bullshit?

I'm sorry if you find this too restrictive. I also advise you to read
the articles that you claim to be responding to: in item 5 I set a date
upon which I will disclose full details of the security holes. While I
understand that people without a legitimate interest in the security
holes (you, for instance?) don't want to wait that long, I'd feel guilty
if I didn't give vendors a grace period to clean up their act.

> Your pathetic excuses
> about protecting the information from "black hats" is unmitigated bullshit.

I have never made any such excuses. I must add, sir, that the accuracy,
originality, and sophistication of your rhetoric are matched only by its
grammatical brilliance.

> The only thing you are doing is concealing any valuable information that you
> may have from the people who have a genuine need for your information.

If you had a genuine need for the information, then you'd be explaining
that need to me rather than blathering all over netnews.

> The
> folks who already care about cracking into systems already know about this
> stuff anyway.

An NCSC trusted systems reviewer, among others, has told me that he is
unfamiliar with the holes in question. Have you heard of the NCSC?

You remind me of the people who say (without knowing, of course) that
sendmail's debug hole was widely known before RTM made a fool of
himself. Does it make you feel wizardly to pretend that you know what
you're talking about?

---Dan