Xref: utzoo comp.unix.wizards:25271 alt.security:2378
Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!usc!snorkelwacker.mit.edu!stanford.edu!unix!hsdndev!cmcl2!kramden.acf.nyu.edu!brnstnd
From: brnstnd@kramden.acf.nyu.edu (Dan Bernstein)
Newsgroups: comp.unix.wizards,alt.security
Subject: Re: BSD tty security, part 4: What You Can Look Forward To
Message-ID: <26844:May100:59:2591@kramden.acf.nyu.edu>
Date: 1 May 91 00:59:25 GMT
References: <1991Apr29.222139.21284@pcserver2.naitc.com> <14683@ulysses.att.com> <1991Apr30.164646.11693@pcserver2.naitc.com>
Organization: IR
Lines: 36

In article <1991Apr30.164646.11693@pcserver2.naitc.com> kdenning@pcserver2.naitc.com (Karl Denninger) writes:
> In article <14683@ulysses.att.com> smb@ulysses.att.com (Steven Bellovin) writes:
> >Face it, there's no satisfying everyone.  What Dan has done -- offered
> >details to anyone who can prove his or her legitimacy -- is certainly
> >defensible as an answer.  Your and I may not (or may) agree with it,
> >but it's as reasonable a choice as either of the first two.
> Well, I've sent him mail, and he sent back some "hints".  That is not
> details.  And I'm as real, and as legitimate, as anyone on the net.  I'm
> responsible for the wide-area network security here at this facility.

Let me be more explicit. I consider vendors to have a legitimate
interest by default. I probably should have said just vendors, but there
are organizations like CERT that I consider to have a legitimate
interest but that aren't vendors. There are also individuals who can and
have convinced me that they should see the code, for various reasons.

I do not consider someone to have a legitimate interest in
security-breaking code merely by virtue of being a system administrator.
If I did, then I should be sending the code to practically everyone---
there's no fine line between the manager of a major site and the
``manager'' of a personal workstation. And that is an unacceptable risk.

> 2)	The good guys, on the other hand, have to hunt around looking for
> 	the problems and devise proof for the "bean counters" before we can
> 	get any time allocated to work on a REAL fix.

Sorry if you don't consider the detailed fixes I've posted to be a REAL
fix. I'd love to hear from anyone who can propose a simpler set of fixes
that can still be proven to work.

As for explaining this to your boss: I'm sorry I can't be any help here.
I note that it is a lot more cost effective for FooBar Computer Co. to
make fixes once and distribute them to 1000 admins than to have 1000
admins each make fixes for themselves.

---Dan