Xref: utzoo comp.unix.wizards:25294 alt.security:2382 Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!uupsi!rsi!wrwalke From: wrwalke@rsi.UUCP (William Walker) Newsgroups: comp.unix.wizards,alt.security Subject: Re: BSD tty security, part 4: What You Can Look Forward To Message-ID: <1384@rsi.UUCP> Date: 1 May 91 17:46:30 GMT References: <3600:Apr2614:04:4391@kramden.acf.nyu.edu> <13218@goofy.Apple.COM> <1991Apr30.224235.2459@jato.jpl.nasa.gov> Organization: PRC Realty Systems, McLean VA. Lines: 48 In article <1991Apr30.224235.2459@jato.jpl.nasa.gov>, dave@jato.jpl.nasa.gov (Dave Hayes) writes: > smb@ulysses.att.com (Steven Bellovin) writes: > > >What Dan has done -- offered > >details to anyone who can prove his or her legitimacy -- is certainly > >defensible as an answer. Your and I may not (or may) agree with it, > >but it's as reasonable a choice as either of the first two. > > I see what you are saying, but I have to disagree. Why has Dan even POSTED > that such holes exist, if he is not willing to disclose the details to > us system admins that are going to be of necessity interested in the problem? ^^^^^^^^^^^^^ ok, so you *are* a system admin with a legit need to know. so what's the big deal with sending him a set of references?? do you want every bored CS major between here and australia finding out about those holes a week or so before you get your patch tapes from the vendor? > > Personally, I would like to know exactly what his criterion is. I believe I > have extremely valid reasons for knowing these details...my paycheck happens > to refelct these reasons. Naturally I responded to his #6 item...believing > full well that he could validate my legitimacy. > so what do you do if you find a nifty little bug?? you tell the vendor and CERT, CERT makes it known to it's brain/talent trust, contacts the vendor who says "BFD". what about the guy *without* source?? how is he ever going to get the hole patched? unless the customers pressure the vendor, NO changes will ever be made unless it is the old "fixed in the next release" line, send us a check.... this "approval" arrangement also sounds kinda hokey to me, but i can't think of a better medium between leaving gaping holes under the carpet and posting potentially dangerous code on a public forum accessible to thousands of bored hacker wannabe's. just another $.02 bill. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Bill Walker - Overlord of Gateway Traffic, Keeper of all that is PD, Maintainer of the Almighty Source Tree, Worshipper of K+R, Altar-boy at the Temple of "Bob", Resource in Residence, Patcher of Perl, Configurer of the Holy Sendmail... wrwalke@rsi.prc.com -- PRC, a wholly owned subsidiary of Black+Decker Inc. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-