Xref: utzoo comp.unix.wizards:25249 alt.security:2362
Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!pacific.mps.ohio-state.edu!linac!att!ucbvax!ulysses!ulysses.att.com!smb
From: smb@ulysses.att.com (Steven Bellovin)
Newsgroups: comp.unix.wizards,alt.security
Subject: Re: BSD tty security, part 4: What You Can Look Forward To
Message-ID: <14683@ulysses.att.com>
Date: 30 Apr 91 02:32:44 GMT
References: <3600:Apr2614:04:4391@kramden.acf.nyu.edu> <13218@goofy.Apple.COM> <1991Apr29.222139.21284@pcserver2.naitc.com>
Sender: netnews@ulysses.att.com
Lines: 55

In article <1991Apr29.222139.21284@pcserver2.naitc.com>, kdenning@pcserver2.naitc.com (Karl Denninger) writes:

[mostly deleted]

Dan is caught between a rock and a hard place here.  He knows of
certain security problems in many existing systems.  What should he do
with the information?

One answer is to post and be damned.  Lots of people advocate that.  I
sometimes do, myself -- as noted, the crackers often know the problems,
too.  In this case, the bug is very widespread.

Another answer is to tell vendors and CERT.  This is a favorite of
folks who don't like the first answer.  He's tried that; according to
his earlier postings, some vendors, at least, aren't interested.

Robert Morris had his answer to the problem of how you get vendors to
fix security problems, but it bought him a felony conviction.  Most
people consider that too high a price to pay.

Face it, there's no satisfying everyone.  What Dan has done -- offered
details to anyone who can prove his or her legitimacy -- is certainly
defensible as an answer.  Your and I may not (or may) agree with it,
but it's as reasonable a choice as either of the first two.

> From the manual pages [on TIOCSTI], I believe it shouldn't work.

I believe you're barking up the wrong termite-infested tree.  Although
I haven't seen a detailed report on the problem, there were sufficient
clues in the first three parts that I'm fairly certain I know what rock
these bugs are hiding under.  To be sure, I'm already predisposed to
think in those terms -- Dan did cite my paper as relevant.  (For those
who are interested, the citation is ``The "Session Tty" Manager''
Bellovin, S.M., Proceedings of USENIX Conference, San Francisco, CA,
Jun 30, 1988, P339-354.)

> If this is not true, I would like details.  Not just "fixes", or
> pontificating, but details.  I can patch around lots of things, and
> replace system code if necessary.  Without some DETAILS it's
> difficult at best.

To annouce the details now would be to opt for choice 1.  Dan has
already rejected that approach.  For those who don't believe the bugs
exist, he has offered Keith Bostic as a reference.  You can't do better
than Keith, but if the network wants, I'll offer myself as another
reference -- Dan and I have corresponded enough that I'm sure he'll
trust me with the info...  Not that I really need to see it -- as I
said, I think I know where the bodies are buried.  (Gee -- that's my
third metaphor for the same problem, and all in one posting...)

Incidentally, offering (threatening?) to post programs that exploit
the bugs is in itself a pretty good warrantee.  Dan wouldn't risk his
reputation if he didn't have those programs written already, I suspect.

		--Steve Bellovin