Xref: utzoo comp.unix.wizards:25299 alt.security:2386
Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!uupsi!sunic!news.funet.fi!funic!santra!news
From: jkp@cs.HUT.FI (Jyrki Kuoppala)
Newsgroups: comp.unix.wizards,alt.security
Subject: sendmail debug thingy
Message-ID: <1991May1.140815.14833@santra.uucp>
Date: 1 May 91 14:08:15 GMT
References: <3600:Apr2614:04:4391@kramden.acf.nyu.edu> <13218@goofy.Apple.COM> <14839:Apr2923:33:4391@kramden.acf.nyu.edu>
Sender: news@santra.uucp (Cnews - USENET news system)
Reply-To: jkp@cs.HUT.FI (Jyrki Kuoppala)
Followup-To: comp.unix.wizards
Organization: Helsinki University of Technology, Finland
Lines: 21
In-Reply-To: brnstnd@kramden.acf.nyu.edu (Dan Bernstein)

>You remind me of the people who say (without knowing, of course) that
>sendmail's debug hole was widely known before RTM made a fool of
>himself. Does it make you feel wizardly to pretend that you know what
>you're talking about?

For the record, I also don't believe that the sendmail debug feature
was 'widely known', whatever that means.  But I personally ran into it
independently, examining the SMTP protocol, and then noticed that
strange things begin to happen after the (undocumented, I think, at
least I found it by chance) debug command was given.  This was some
time before the Internet worm episode.  And no, I didn't publicize it
widely, just discussed it with a few friends of mine and the local
administrators.

Back then, I didn't know of a good way to communicate such holes and
probably didn't even think anyone would be that interested in it.
Don't know, perhaps if I had posted it to a newsgroup back then the
worm episode wouldn't have happened.  Not that I say it would have
been good or bad.

//Jyrki